The 'mybugstemplate' parameter is not filtered in templates (and its default value should use & instead of &)

ASSIGNED
Assigned to

Status

()

--
minor
ASSIGNED
12 years ago
5 years ago

People

(Reporter: reed, Assigned: reed)

Tracking

Details

Attachments

(1 attachment, 2 obsolete attachments)

(Assignee)

Description

12 years ago
Currently, mybugstemplate uses & and defaultquery uses &. The two parameters either both need to use & or both need to use &. Using & will generate invalid HTML unless the href is filtered with url_quote first. & is valid HTML.
(Assignee)

Comment 1

12 years ago
Created attachment 248886 [details] [diff] [review]
Use & for both - v1

Use & for both.
Assignee: administration → reed
Status: NEW → ASSIGNED
Attachment #248886 - Flags: review?(LpSolit)
(Assignee)

Comment 2

12 years ago
Created attachment 248887 [details] [diff] [review]
Use & for both - v1

Use & for both.
Attachment #248887 - Flags: review?(LpSolit)
(Assignee)

Comment 3

12 years ago
Please choose one patch or the other, depending on what you decide to do. I will fix the issue of the url_quote filter not being used in another bug, so I haven't included it in the & one.

Comment 4

12 years ago
Comment on attachment 248886 [details] [diff] [review]
Use & for both - v1

Too dangerous as an admin could change it back to &, by accident.
Attachment #248886 - Flags: review?(LpSolit) → review-

Comment 5

12 years ago
Comment on attachment 248887 [details] [diff] [review]
Use & for both - v1

Some places are not correctly filtered with this change. They must be fixed in the same patch.
Attachment #248887 - Flags: review?(LpSolit) → review-
(Assignee)

Comment 6

12 years ago
Created attachment 248926 [details] [diff] [review]
Use & and add filter - v2

Use & for mybugstemplate and then add FILTER html to places that were missing it.
Attachment #248886 - Attachment is obsolete: true
Attachment #248887 - Attachment is obsolete: true
Attachment #248926 - Flags: review?(LpSolit)
> Created an attachment (id=248926) [edit]

you should add a note on the admin page (admin/params/query...),
 something like:
<br>Note " _
"that this value will be escaped so use unescaped " _
"strings e.g.: &amp; instead of &amp;amp;.

Comment 8

12 years ago
The problem with this bug/patch is that the query stored in data/params should be converted too, independently of the fix choosen (&amp; or & for both queries). I tested attachment 248926 [details] [diff] [review], and Apache seems to be able to parse it correctly anyway, despite the URL is now:

https://localhost/bugzilla/buglist.cgi?bug_status=UNCONFIRMED&amp;bug_status=NEW&amp;bug_status=ASSIGNED&amp;bug_status=REOPENED&amp;emailassigned_to1=1&amp;emailreporter1=1&amp;emailtype1=exact&amp;email1=LpSolit%40netscape.net&amp;field0-0-0=bug_status&amp;type0-0-0=notequals&amp;value0-0-0=UNCONFIRMED&amp;field0-0-1=reporter&amp;type0-0-1=equals&amp;value0-0-1=LpSolit%40netscape.net

When I click the "Edit Search" link, I get the following weird URL:

https://localhost/bugzilla/query.cgi?amp=&amp=&amp=&amp=&amp=&amp=&amp=&amp=&amp=&amp=&amp=&amp=&amp=&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&email1=LpSolit%40netscape.net&emailassigned_to1=1&emailreporter1=1&emailtype1=exact&field-1-0-0=bug_status&field-1-1-0=assigned_to&field-1-1-1=reporter&field0-0-0=bug_status&field0-0-1=reporter&query_format=advanced&remaction=&type-1-0-0=anyexact&type-1-1-0=anyexact&type-1-1-1=anyexact&type0-0-0=notequals&type0-0-1=equals&value-1-0-0=UNCONFIRMED%2CNEW%2CASSIGNED%2CREOPENED&value-1-1-0=LpSolit%40netscape.net&value-1-1-1=LpSolit%40netscape.net&value0-0-0=UNCONFIRMED&value0-0-1=LpSolit%40netscape.net

Don't ask me how this URL has been generated, I have no idea. But the query form is correctly filed. So I may accept this patch as is, but I want some feedback/comments first.

Comment 9

12 years ago
Comment on attachment 248926 [details] [diff] [review]
Use & and add filter - v2

Per discussion with mkanat on IRC, this patch still has to convert the 'mybugstemplate' parameter stored in data/params. You do it from Bugzilla::Config::update_params().
Attachment #248926 - Flags: review?(LpSolit) → review-

Updated

11 years ago
Duplicate of this bug: 313690

Comment 11

10 years ago
The Bugzilla 3.0 branch is now locked to security bugs and dataloss fixes only. This bug doesn't fit into one of these two categories and is retargetted to 3.2 as part of a mass-change. To catch bugmails related to this mass-change, use lts081207 in your email client filter.
Target Milestone: Bugzilla 3.0 → Bugzilla 3.2

Comment 12

9 years ago
Bugzilla 3.2 is restricted to security bugs only. Moreover, this bug is either assigned to nobody or got no traction for several months now. Rather than retargetting it at each new release, I'm clearing the target milestone and the bug will be retargetted to some sensible release when someone starts fixing this bug for real (Bugzilla 3.8 more likely).
Target Milestone: Bugzilla 3.2 → ---

Updated

6 years ago
Duplicate of this bug: 814049

Updated

6 years ago
Summary: Bugzilla/Config/Query.pm's defaults for mybugstemplate and defaultquery should either use &amp; or &, not both! → The 'mybugstemplate' parameter is not filtered in templates (and its default value should use & instead of &amp;)
You need to log in before you can comment on or make changes to this bug.