Closed
Bug 814841
Opened 13 years ago
Closed 13 years ago
The description of custom fields is not filtered in the help page
Categories
(Bugzilla :: Bugzilla-General, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 4.4
People
(Reporter: insecurity.ro, Assigned: LpSolit)
References
Details
Attachments
(1 file, 1 obsolete file)
|
715 bytes,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
Build ID: 20121119183901
Steps to reproduce:
Hello,
some error in bugzilla again.
Use my login and password for test:
https://oj2xywb2bi6e.demo.bugzilla.org
user: insecurity.ro@gmail.com
password: 1a2a3a
Actual results:
https://oj2xywb2bi6e.demo.bugzilla.org/editfields.cgi
https://oj2xywb2bi6e.demo.bugzilla.org/show_bug.cgi?id=18793
https://oj2xywb2bi6e.demo.bugzilla.org/page.cgi?id=fields.html
Expected results:
only with admin account.
| Assignee | ||
Comment 1•13 years ago
|
||
Field descriptions are not filtered on purpose to let admins format their text a bit, see bug 529201. As there is no reason to allow JS code here, we could replace FILTER none by FILTER html_light as we do everywhere else for field descriptions. But this is in no way a security bug as they are fully controlled by admins.
Group: bugzilla-security
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
Target Milestone: --- → Bugzilla 4.2
| Assignee | ||
Comment 2•13 years ago
|
||
Actually, only 4.4 and newer are affected, since we implemented the "Long Description" attribute of custom fields, see bug 728138. 4.2 and older are not affected.
Depends on: 728138
Summary: custom field in bugzilla is not filtered → The description of custom fields is not filtered in the help page
Target Milestone: Bugzilla 4.2 → Bugzilla 4.4
| Assignee | ||
Comment 3•13 years ago
|
||
Assignee: general → LpSolit
Attachment #684842 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #684843 -
Flags: review?(dkl)
Yes, i know, this bug not a security bug, but today i have a time for my hobby, and i found this error, if this not a interesting, next time i don't put this is here.
| Assignee | ||
Comment 5•13 years ago
|
||
(In reply to Sony from comment #4)
> Yes, i know, this bug not a security bug, but today i have a time for my
> hobby, and i found this error, if this not a interesting, next time i don't
> put this is here.
I never said this isn't interesting. I said this isn't a security bug, and so there is no need to check the "Security" checkbox when reporting the bug. This is spamming the whole security team for something which is harmless. But because a bug is not considered a security issue doesn't mean we don't want to fix the problem. See, I uploaded a patch already. :)
Comment 7•13 years ago
|
||
Comment on attachment 684843 [details] [diff] [review]
patch, v1
Review of attachment 684843 [details] [diff] [review]:
-----------------------------------------------------------------
r=dkl
Attachment #684843 -
Flags: review?(dkl) → review+
Updated•13 years ago
|
Flags: approval?
Flags: approval4.4?
| Assignee | ||
Updated•13 years ago
|
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval+
| Assignee | ||
Comment 8•13 years ago
|
||
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified template/en/default/pages/fields.html.tmpl
Committed revision 8485.
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified template/en/default/pages/fields.html.tmpl
Committed revision 8469.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•