[Rt-commit] rtir branch, 2.9/use-l_unsafe, created. 3.0.0rc1-7-g9a60e77
Kevin Falcone
falcone at bestpractical.com
Mon Aug 13 18:07:25 EDT 2012
The branch, 2.9/use-l_unsafe has been created
at 9a60e775b6c66cda466d5ee1abc620f595390ec5 (commit)
- Log -----------------------------------------------------------------
commit 9a60e775b6c66cda466d5ee1abc620f595390ec5
Author: Kevin Falcone <falcone at bestpractical.com>
Date: Mon Aug 13 18:06:23 2012 -0400
Begin using l_unsafe in a few places that pass HTML to /l
As part of the security release for 3.8.13 and 4.0.6 RT began escaping
all HTML passed to /l (see RT's a2a50999aa214fa01bb824d2b6fcec197ec2a8e9
for more details).
This is a forward-port of ba4e3aae903888cf001bb90f4a4094b2a65d52e2 to
the 2.9-trunk layout.
diff --git a/html/RTIR/Search/Reporting.html b/html/RTIR/Search/Reporting.html
index c4518ad..5f3e796 100644
--- a/html/RTIR/Search/Reporting.html
+++ b/html/RTIR/Search/Reporting.html
@@ -9,8 +9,8 @@
<input type="hidden" class="hidden" name="<% $key %>" value="<% $val %>" />
% }
<&|/l&>Show chart</&>
-<&|/l, $m->scomp('/Search/Elements/SelectGroupBy', Name => 'PrimaryGroupBy', Query => $FullQuery) &>grouped by [_1]</&>
-<&|/l, $m->scomp('/Search/Elements/SelectChartType', Name => 'ChartStyle') &>style: [_1]</&>
+<&|/l_unsafe, $m->scomp('/Search/Elements/SelectGroupBy', Name => 'PrimaryGroupBy', Query => $FullQuery) &>grouped by [_1]</&>
+<&|/l_unsafe, $m->scomp('/Search/Elements/SelectChartType', Name => 'ChartStyle') &>style: [_1]</&>
<input type="submit" class="button" name="ShowChart" value="<% loc('Go')%>" />
</form>
diff --git a/html/l_unsafe b/html/l_unsafe
new file mode 100755
index 0000000..6396bc6
--- /dev/null
+++ b/html/l_unsafe
@@ -0,0 +1,52 @@
+%# BEGIN BPS TAGGED BLOCK {{{
+%#
+%# COPYRIGHT:
+%#
+%# This software is Copyright (c) 1996-2012 Best Practical Solutions, LLC
+%# <sales at bestpractical.com>
+%#
+%# (Except where explicitly superseded by other copyright notices)
+%#
+%#
+%# LICENSE:
+%#
+%# This work is made available to you under the terms of Version 2 of
+%# the GNU General Public License. A copy of that license should have
+%# been provided with this software, but in any event can be snarfed
+%# from www.gnu.org.
+%#
+%# This work is distributed in the hope that it will be useful, but
+%# WITHOUT ANY WARRANTY; without even the implied warranty of
+%# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+%# General Public License for more details.
+%#
+%# You should have received a copy of the GNU General Public License
+%# along with this program; if not, write to the Free Software
+%# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+%# 02110-1301 or visit their web page on the internet at
+%# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
+%#
+%#
+%# CONTRIBUTION SUBMISSION POLICY:
+%#
+%# (The following paragraph is not intended to limit the rights granted
+%# to you to modify and distribute this software under the terms of
+%# the GNU General Public License and is only of importance to you if
+%# you choose to contribute your changes and enhancements to the
+%# community by submitting them to Best Practical Solutions, LLC.)
+%#
+%# By intentionally submitting any modifications, corrections or
+%# derivatives to this work, or any other work intended for use with
+%# Request Tracker, to Best Practical Solutions, LLC, you confirm that
+%# you are the copyright holder for those contributions and you grant
+%# Best Practical Solutions, LLC a nonexclusive, worldwide, irrevocable,
+%# royalty-free, perpetual, license to use, copy, create derivative
+%# works based on those contributions, and sublicense and distribute
+%# those contributions and any derivatives thereof.
+%#
+%# END BPS TAGGED BLOCK }}}
+<%init>
+ my $hand = ($session{'CurrentUser'} ||= RT::CurrentUser->new)->LanguageHandle;
+ $m->print($hand->maketext($m->content, at _));
+ return(1);
+</%init>
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list