Closed Bug 345346 Opened 19 years ago Closed 18 years ago

config.cgi's XML format does "FILTER uri" or "FILTER html" where it should do "FILTER xml"

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Version:
2.22
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 264785

People

(Reporter: mkanat, Unassigned)

References

Details

Here's a sample line from template/en/default/config.rdf.html: > <bz:product rdf:about="[% Param('urlbase') %]product.cgi?name=[% product.name FILTER uri %]"> If the product.name has an & symbol in it, then that's invalid XML, because the & won't be escaped. Also, this file has "FILTER html" all over it, when it really ought to have "FILTER xml" as far as I can see. CC'ing folks who ought to be able to tell me at least whether or not I'm totally correct, from an XML standpoint. config.cgi is supposed to be a stable API, though, so we shouldn't change it on the branches.
(In reply to comment #0) > If the product.name has an & symbol in it, then that's invalid XML, because the > & won't be escaped. No, |FILTER uri| in TT 2.16 and newer correctly escapes all reserved characters: * Changed the uri filter to escape all reserved characters as per URI::Escape and RFC2396. This now includes &, @, /, ;, :, =, +, ? and $ which were previously not escaped. So using this filter is fine. Not sure about FILTER html and FILTER xml, though.
Depends on: 398701
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Target Milestone: Bugzilla 3.0 → ---
You need to log in before you can comment on or make changes to this bug.