91626 - query.cgi javascript fails to escape component names

Status: RESOLVED WORKSFORME

(Bugzilla :: Administration, task, P1)

Description

[mwrona]

- create new component named ' (single quote)
- go to query page
- type javascript: in your browser URL window and you'll see error:
http://xxxxxxx/bugzilla/query.cgi, line 9:

unterminated string literal. 

cpts['''] = new Array();
.......^

The problem is that script(s?) doesn't validate user input accepts such strange
names as, e.g. ' or new-line (yes, I managed to do that with mouse copy-paste).
IMHO all user input should be trimmed to some well-defined subset of ASCII.

Comment 1

[Jacob Steenhagen]

-> New Bugzilla Product

Comment 2

[Andreas Franke (gone)]

See also bug 98181 "/query.cgi doesn't handle single quotes (') in component
names".

Comment 3

[Dave Miller [:justdave]]

data validation errors suck.  Release blocker...

kiko, you're already CCed...  this is your department I think.  Does your
pending javascript patch for the query page fix this already?

Comment 4

[Dave Miller [:justdave]]

*** Bug 98181 has been marked as a duplicate of this bug. ***

Comment 5

[Christian Reis]

I created both a product and a component called ' and nothing broke. It even
restored selections properly with bug 97966 fixed locally.

Apparently this was fixed by both Gerv's template work and my
index-by-number-instead-of-component-name patch to bug 122154.

WORKSFORME on the tip.

Comment 6

[Dave Miller [:justdave]]

clearing milestones on DUPLICATE/WONTFIX/WORKSFORME/INVALID bugs (so they'll
show up as needing triage if they get reopened)