Closed Bug 814841 Opened 13 years ago Closed 13 years ago

The description of custom fields is not filtered in the help page

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 4.4

People

(Reporter: insecurity.ro, Assigned: LpSolit)

References

Details

Attachments

(1 file, 1 obsolete file)

patch, v1
715 bytes, patch
dkl
: review+
Details | Diff | Splinter Review
Attached image error.jpg (obsolete) —
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0 Build ID: 20121119183901 Steps to reproduce: Hello, some error in bugzilla again. Use my login and password for test: https://oj2xywb2bi6e.demo.bugzilla.org user: insecurity.ro@gmail.com password: 1a2a3a Actual results: https://oj2xywb2bi6e.demo.bugzilla.org/editfields.cgi https://oj2xywb2bi6e.demo.bugzilla.org/show_bug.cgi?id=18793 https://oj2xywb2bi6e.demo.bugzilla.org/page.cgi?id=fields.html Expected results: only with admin account.
Field descriptions are not filtered on purpose to let admins format their text a bit, see bug 529201. As there is no reason to allow JS code here, we could replace FILTER none by FILTER html_light as we do everywhere else for field descriptions. But this is in no way a security bug as they are fully controlled by admins.
Group: bugzilla-security
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
Target Milestone: --- → Bugzilla 4.2
Actually, only 4.4 and newer are affected, since we implemented the "Long Description" attribute of custom fields, see bug 728138. 4.2 and older are not affected.
Depends on: 728138
Summary: custom field in bugzilla is not filtered → The description of custom fields is not filtered in the help page
Target Milestone: Bugzilla 4.2 → Bugzilla 4.4
Attached patch patch, v1Splinter Review
Assignee: general → LpSolit
Attachment #684842 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #684843 - Flags: review?(dkl)
Yes, i know, this bug not a security bug, but today i have a time for my hobby, and i found this error, if this not a interesting, next time i don't put this is here.
(In reply to Sony from comment #4) > Yes, i know, this bug not a security bug, but today i have a time for my > hobby, and i found this error, if this not a interesting, next time i don't > put this is here. I never said this isn't interesting. I said this isn't a security bug, and so there is no need to check the "Security" checkbox when reporting the bug. This is spamming the whole security team for something which is harmless. But because a bug is not considered a security issue doesn't mean we don't want to fix the problem. See, I uploaded a patch already. :)
Ok:) Thank you for the clarification!
Comment on attachment 684843 [details] [diff] [review] patch, v1 Review of attachment 684843 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #684843 - Flags: review?(dkl) → review+
Flags: approval?
Flags: approval4.4?
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval+
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified template/en/default/pages/fields.html.tmpl Committed revision 8485. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/ modified template/en/default/pages/fields.html.tmpl Committed revision 8469.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: