Closed
Bug 54703
Opened 24 years ago
Closed 22 years ago
adding of new quips could use a few improvements
Categories
(Bugzilla :: Bugzilla-General, enhancement, P3)
Bugzilla
Bugzilla-General
Tracking
()
VERIFIED
WONTFIX
People
(Reporter: mozilla, Assigned: jacob)
References
Details
Attachments
(1 file, 1 obsolete file)
3.05 KB,
patch
|
CodeMachine
:
review-
|
Details | Diff | Splinter Review |
The following patch - adds a reset button to newquip.html - makes new_comment.cgi use CGI.pl - safely allows HTML in quips by using html_quote() - checks whether adding the quip succeeded (check those return values!) - outputs the standard bugzilla footer
Reporter | ||
Comment 1•24 years ago
|
||
Reporter | ||
Comment 2•24 years ago
|
||
Argh, that patch had a stupid thinko which reintroduced allowing raw HTML in quips. Try this one instead.
Reporter | ||
Comment 3•24 years ago
|
||
Comment 4•24 years ago
|
||
What does html_quote do? "<" -> "<" etc.?
Comment 5•24 years ago
|
||
I think it's better to tell users that html isn't allowed in new quips than to automatically escape it. And IMO reset buttons are evil.
Reporter | ||
Comment 6•24 years ago
|
||
Why do you think it's better to refuse html? That just needlessly restricts what the quips can contain. And why do you think reset buttons are evil? Would you advocate removal of all reset buttons from bugzilla, or just here?
Comment 7•24 years ago
|
||
> Why do you think it's better to refuse html?
For security reasons: HTML can contain JS, iframes, images with cookie and all
kinds of other evil stuff.
Yes, that's why we "face" on the web all day, too, but the mozilla.org domain is
also a testbed for Mozilla and since development version can contains all kinds
of seurity bugs, it is essential that the mozilla.org domain is trustworthy. I
wouldn't use early Mozilla versions on the bad sides of the net.
Imaging, there is a known bug in Mozilla. An attacker could just place an
exploit in a quip and get a very high hit rate.
Reporter | ||
Comment 8•24 years ago
|
||
> > Why do you think it's better to refuse html? > > For security reasons: HTML can contain JS, iframes, images with cookie and all > kinds of other evil stuff. But escaped HTML can't.
Comment 9•24 years ago
|
||
That (escape it) is what we do today, not?
Reporter | ||
Comment 10•24 years ago
|
||
No, currently anything with < in is refused.
Comment 11•24 years ago
|
||
The problem is that there are already quite a few quips in the database that do contain HTML. People will see that, and start submitting new quips with HTML tags in them, without realizing that their quips are being escaped. If you add a note to the "add quip" page about escaping, though, it would probably be ok.
Updated•24 years ago
|
Whiteboard: 2.14
Assignee | ||
Comment 12•24 years ago
|
||
I'll be making some changes to the quip addition as part of bug 67950.
Assignee: tara → jake
Depends on: 67950
Assignee | ||
Updated•24 years ago
|
Whiteboard: 2.14 → 2.16
Comment 14•23 years ago
|
||
See also bug #73191.
Updated•23 years ago
|
Assignee | ||
Updated•23 years ago
|
Status: NEW → ASSIGNED
Updated•23 years ago
|
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
Updated•23 years ago
|
Attachment #15838 -
Attachment is obsolete: true
Updated•23 years ago
|
Attachment #16220 -
Flags: review-
Updated•23 years ago
|
Comment 15•23 years ago
|
||
- adds a reset button to newquip.html Reset buttons bad. - makes new_comment.cgi use CGI.pl - outputs the standard bugzilla footer Done in bug 117759. - safely allows HTML in quips by using html_quote() As discussed, the current solution is best. - checks whether adding the quip succeeded (check those return values!) Can't remember if bug 117759 does this. Gerv
Comment 16•22 years ago
|
||
All the stuff covered here has either been done already as part of other bugs, or we don't plan on doing (for the reasons stated in the above comments)
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → WONTFIX
Target Milestone: Bugzilla 2.18 → ---
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•