Closed Bug 54703 Opened 24 years ago Closed 22 years ago

adding of new quips could use a few improvements

Categories

(Bugzilla :: Bugzilla-General, enhancement, P3)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
enhancement

Tracking

()

Status:
VERIFIED WONTFIX

People

(Reporter: mozilla, Assigned: jacob)

References

Details

Attachments

(1 file, 1 obsolete file)

working improvements to adding quips
3.05 KB, patch
CodeMachine
: review-
Details | Diff | Splinter Review 
The following patch

  - adds a reset button to newquip.html
  - makes new_comment.cgi use CGI.pl
  - safely allows HTML in quips by using html_quote()
  - checks whether adding the quip succeeded (check those return values!)
  - outputs the standard bugzilla footer
Attached patch improvements to adding quips (obsolete) — Splinter Review 

    
    

    
  
Argh, that patch had a stupid thinko which reintroduced allowing raw HTML in
quips.  Try this one instead.

    
    

    
  
What does html_quote do? "<" -> "&lt;" etc.?

    
    

    
  
I think it's better to tell users that html isn't allowed in new quips than to 
automatically escape it.  And IMO reset buttons are evil.

    
    

    
  
Why do you think it's better to refuse html?  That just needlessly restricts
what the quips can contain.

And why do you think reset buttons are evil?  Would you advocate removal
of all reset buttons from bugzilla, or just here?

    
    

    
  
> Why do you think it's better to refuse html?

For security reasons: HTML can contain JS, iframes, images with cookie and all
kinds of other evil stuff.

Yes, that's why we "face" on the web all day, too, but the mozilla.org domain is
also a testbed for Mozilla and since development version can contains all kinds
of seurity bugs, it is essential that the mozilla.org domain is trustworthy. I
wouldn't use early Mozilla versions on the bad sides of the net.

Imaging, there is a known bug in Mozilla. An attacker could just place an
exploit in a quip and get a very high hit rate.


    
    

    
  
> > Why do you think it's better to refuse html?
>
> For security reasons: HTML can contain JS, iframes, images with cookie and all
> kinds of other evil stuff.

But escaped HTML can't.

    
    

    
  
That (escape it) is what we do today, not?

    
    

    
  
No, currently anything with < in is refused.

    
    

    
  
The problem is that there are already quite a few quips in the database that do 
contain HTML.  People will see that, and start submitting new quips with HTML 
tags in them, without realizing that their quips are being escaped.

If you add a note to the "add quip" page about escaping, though, it would 
probably be ok.
Whiteboard: 2.14

    
    

    
  
I'll be making some changes to the quip addition as part of bug 67950.
Assignee: tara → jake
Depends on: 67950

    
  
Whiteboard: 2.14 → 2.16

    
    

    
  
moving to real milestones...

Target Milestone: --- → Bugzilla 2.16
Keywords: patch, 
          
            review
Whiteboard: 2.16

    
  
Status: NEW → ASSIGNED
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified

        Attachment #15838 -
        Attachment is obsolete: true

        Attachment #16220 -
        Flags: review-
Keywords: patch, 
          
            review
Target Milestone: Bugzilla 2.16 → Bugzilla 2.18

    
    

    
  
  - adds a reset button to newquip.html

Reset buttons bad.

  - makes new_comment.cgi use CGI.pl
  - outputs the standard bugzilla footer

Done in bug 117759.

  - safely allows HTML in quips by using html_quote()

As discussed, the current solution is best.

  - checks whether adding the quip succeeded (check those return values!)

Can't remember if bug 117759 does this.

Gerv

    
    

    
  
All the stuff covered here has either been done already as part of other bugs,
or we don't plan on doing (for the reasons stated in the above comments)
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → WONTFIX
Target Milestone: Bugzilla 2.18 → ---

    
    

    
  
V.
Status: RESOLVED → VERIFIED
QA Contact: matty_is_a_geek → default-qa

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: