"My bugs" query is not HTML-escaped

RESOLVED DUPLICATE of bug 364096

Status

()

Bugzilla
Bugzilla-General
RESOLVED DUPLICATE of bug 364096
12 years ago
10 years ago

People

(Reporter: justdave, Unassigned)

Tracking

Details

The "My bugs" template parameter does not get HTML escaped before being used in the footer of Bugzilla pages.  This causes HTML validation to fail when you're logged in because the &'s in the query aren't &.

Comment 1

12 years ago
How do you know whether the default query already uses & or not? Mine already has & in it. So filtering it again wouldn't be good IMHO.

Comment 2

12 years ago
Btw, sidebar.xul.tmpl does use FILTER html the mybugstemplate param. One of these templates is wrong ;)

Comment 3

11 years ago
Not a security bug -> 2.22
Target Milestone: Bugzilla 2.18 → Bugzilla 2.22
Looks like our default My Bugs template already has & in it so simple reset of this parameter fixes this bug and make gazillion of validation errors disappear. 

So, do we still want this fixed for the poor folks that manually add bare ampersands in their template? Maybe basic HTML filter added with duplicate (&) suppression capability is needed here. Or maybe bug 133173 will just make all these problems go away..

Updated

10 years ago
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 364096

Updated

10 years ago
Target Milestone: Bugzilla 2.22 → ---
You need to log in before you can comment on or make changes to this bug.