[Rt-commit] rtir branch, 2.6/use-l_unsafe, created. 2.6.2rc1-1-gba4e3aa

Kevin Falcone falcone at bestpractical.com
Wed Aug 8 18:39:29 EDT 2012 

The branch, 2.6/use-l_unsafe has been created
        at  ba4e3aae903888cf001bb90f4a4094b2a65d52e2 (commit)

- Log -----------------------------------------------------------------
commit ba4e3aae903888cf001bb90f4a4094b2a65d52e2
Author: Kevin Falcone <falcone at bestpractical.com>
Date:   Wed Aug 8 18:26:29 2012 -0400

    Begin using l_unsafe in a few places that pass HTML to /l
    
    As part of the security release for 3.8.13 and 4.0.6 RT began escaping
    all HTML passed to /l (see RT's a2a50999aa214fa01bb824d2b6fcec197ec2a8e9
    for more details).

diff --git a/html/RTIR/Search/Elements/ShowResults b/html/RTIR/Search/Elements/ShowResults
index f7d783a..f5ff7df 100644
--- a/html/RTIR/Search/Elements/ShowResults
+++ b/html/RTIR/Search/Elements/ShowResults
@@ -58,8 +58,8 @@ if ( $session{'CurrentUser'}->HasRight( Right => 'SuperUser', Object => $RT::Sys
 % foreach my $key ( keys %hiddens ) {
 <input type="hidden" class="hidden" name="<% $key %>" value="<% defined $hiddens{$key}? $hiddens{$key}: '' %>" />
 % }
-<&|/l, $m->scomp('/Search/Elements/SelectGroupBy', Name => 'PrimaryGroupBy') &>grouped by [_1]</&>
-<&|/l, $m->scomp('/Search/Elements/SelectChartType', Name => 'ChartStyle') &>style: [_1]</&>
+<&|/l_unsafe, $m->scomp('/Search/Elements/SelectGroupBy', Name => 'PrimaryGroupBy') &>grouped by [_1]</&>
+<&|/l_unsafe, $m->scomp('/Search/Elements/SelectChartType', Name => 'ChartStyle') &>style: [_1]</&>
 <input type="submit" class="button" value="<% loc('Go') %>" />
 </form>
 
diff --git a/html/RTIR/Search/Reporting.html b/html/RTIR/Search/Reporting.html
index 9e55c4e..de90d35 100644
--- a/html/RTIR/Search/Reporting.html
+++ b/html/RTIR/Search/Reporting.html
@@ -15,8 +15,8 @@
 <input type="hidden" class="hidden" name="<% $key %>" value="<% $val %>" />
 % }
 <&|/l&>Show chart</&>
-<&|/l, $m->scomp('/Search/Elements/SelectGroupBy', Name => 'PrimaryGroupBy', Query => $FullQuery) &>grouped by [_1]</&>
-<&|/l, $m->scomp('/Search/Elements/SelectChartType', Name => 'ChartStyle') &>style: [_1]</&>
+<&|/l_unsafe, $m->scomp('/Search/Elements/SelectGroupBy', Name => 'PrimaryGroupBy', Query => $FullQuery) &>grouped by [_1]</&>
+<&|/l_unsafe, $m->scomp('/Search/Elements/SelectChartType', Name => 'ChartStyle') &>style: [_1]</&>
 <input type="submit" class="button" name="ShowChart" value="<% loc('Go')%>" />
 </form>
 
diff --git a/html/l_unsafe b/html/l_unsafe
new file mode 100755
index 0000000..6396bc6
--- /dev/null
+++ b/html/l_unsafe
@@ -0,0 +1,52 @@
+%# BEGIN BPS TAGGED BLOCK {{{
+%#
+%# COPYRIGHT:
+%#
+%# This software is Copyright (c) 1996-2012 Best Practical Solutions, LLC
+%#                                          <sales at bestpractical.com>
+%#
+%# (Except where explicitly superseded by other copyright notices)
+%#
+%#
+%# LICENSE:
+%#
+%# This work is made available to you under the terms of Version 2 of
+%# the GNU General Public License. A copy of that license should have
+%# been provided with this software, but in any event can be snarfed
+%# from www.gnu.org.
+%#
+%# This work is distributed in the hope that it will be useful, but
+%# WITHOUT ANY WARRANTY; without even the implied warranty of
+%# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+%# General Public License for more details.
+%#
+%# You should have received a copy of the GNU General Public License
+%# along with this program; if not, write to the Free Software
+%# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+%# 02110-1301 or visit their web page on the internet at
+%# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
+%#
+%#
+%# CONTRIBUTION SUBMISSION POLICY:
+%#
+%# (The following paragraph is not intended to limit the rights granted
+%# to you to modify and distribute this software under the terms of
+%# the GNU General Public License and is only of importance to you if
+%# you choose to contribute your changes and enhancements to the
+%# community by submitting them to Best Practical Solutions, LLC.)
+%#
+%# By intentionally submitting any modifications, corrections or
+%# derivatives to this work, or any other work intended for use with
+%# Request Tracker, to Best Practical Solutions, LLC, you confirm that
+%# you are the copyright holder for those contributions and you grant
+%# Best Practical Solutions,  LLC a nonexclusive, worldwide, irrevocable,
+%# royalty-free, perpetual, license to use, copy, create derivative
+%# works based on those contributions, and sublicense and distribute
+%# those contributions and any derivatives thereof.
+%#
+%# END BPS TAGGED BLOCK }}}
+<%init>
+ my $hand = ($session{'CurrentUser'} ||= RT::CurrentUser->new)->LanguageHandle;
+ $m->print($hand->maketext($m->content, at _));
+ return(1);
+</%init>

-----------------------------------------------------------------------

More information about the Rt-commit mailing list