Closed Bug 192661 Opened 22 years ago Closed 22 years ago

Dependency graphs print bug summaries without html encoding

Categories

(Bugzilla :: Reporting/Charting, defect)

Product:
Bugzilla
Component:
Reporting/Charting
Version:
2.17.3
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: jouni, Assigned: justdave)

References

Details

(Whiteboard: [fixed in 2.16.3] [fixed in 2.17.4])

Attachments

(2 files)

Patch against tip
853 bytes, patch
gerv
: review+
bbaetz
: review+
Details | Diff | Splinter Review
patch against 2.16 branch
846 bytes, patch
gerv
: review+
bbaetz
: review+
Details | Diff | Splinter Review
Locally generated dependency graphs print bug summaries without html encoding when including summaries. I noticed this when patching bug 166346 and the patch there doesn't include a fix for this. To reproduce: Configure BZ to use local dot installation, give a bug a summary like '"><script>alert('yeah!')</script>' and create a dep graph with summaries. You should see the alert dialog.
uh oh FYI, this is in the 2.16 branch as well. 2.16.3 here we come
Target Milestone: --- → Bugzilla 2.18
Whiteboard: [wanted for 2.16.3]
mine
Assignee: gerv → justdave
Attachment #114184 - Flags: review?(gerv)
Attachment #114184 - Flags: review?(bbaetz)
Attachment #114185 - Flags: review?(gerv)
Attachment #114185 - Flags: review?(bbaetz)
Comment on attachment 114184 [details] [diff] [review] Patch against tip Ew, that code is ugly. r=bbaetz
Attachment #114184 - Flags: review?(bbaetz) → review+
Comment on attachment 114185 [details] [diff] [review] patch against 2.16 branch And again, eww + r=bbaetz
Attachment #114185 - Flags: review?(bbaetz) → review+
Comment on attachment 114185 [details] [diff] [review] patch against 2.16 branch r=gerv. Gerv
Attachment #114185 - Flags: review?(gerv)
Comment on attachment 114184 [details] [diff] [review] Patch against tip r=gerv. Gerv
Attachment #114184 - Flags: review?(gerv)
Putting this on the approval list... will hold it there until about a day before we're ready to roll with the release announcement, then we'll check it in. (that way we don't have it showing up on bonsai where people can see it before it's been announced)
Flags: approval?
Whiteboard: [wanted for 2.16.3] → [fixed in 2.16.3][fixed on trunk][pending checkin on both]
I applied this patch on bmo, because it's now using local dot.
Just as FYI, this was introduced with the checkin from bug 134571, which was checked in on 2002-05-07.
This is on hold for the moment until we sort out another security hole that was just found. We were mere hours from releasing 2.16.3 and 2.17.4 this morning when it was found and I got a frantic "stop the presses" email. We'll probably be a few days sorting it out, but 2.16.3 and 2.17.4 will go out (with this in it) as soon as we have all the known holes plugged.
Blocks: 190911
Flags: approval? → approval+
HEAD: Checking in showdependencygraph.cgi; /cvsroot/mozilla/webtools/bugzilla/showdependencygraph.cgi,v <-- showdependencygraph.cgi new revision: 1.27; previous revision: 1.26 done BUGZILLA-2_16-BRANCH: Checking in showdependencygraph.cgi; /cvsroot/mozilla/webtools/bugzilla/showdependencygraph.cgi,v <-- showdependencygraph.cgi new revision: 1.18.2.2; previous revision: 1.18.2.1 done
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Whiteboard: [fixed in 2.16.3][fixed on trunk][pending checkin on both] → [fixed in 2.16.3][fixed on trunk]
Whiteboard: [fixed in 2.16.3][fixed on trunk] → [fixed in 2.16.3] [fixed in 2.17.4]
Security Advisory has been posted, removing security group
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: