[Rt-commit] rt branch, 3.8-trunk, updated. rt-3.8.7-103-g1a9987f
Ruslan Zakirov
ruz at bestpractical.com
Mon Jan 25 13:45:05 EST 2010
The branch, 3.8-trunk has been updated
via 1a9987fa09cbea4b0243e5e0758f68aa14453b5b (commit)
via 0e5f9847279e61c6c0bbd34754e2f28e56e63f92 (commit)
from 1252970656b9cbc3a5a509595b746eebc76320f6 (commit)
Summary of changes:
lib/RT/ObjectCustomFieldValue_Overlay.pm | 17 +++++++++++++++++
lib/RT/Test.pm | 6 +++---
share/html/Elements/ShowCustomFields | 9 +++++----
3 files changed, 25 insertions(+), 7 deletions(-)
- Log -----------------------------------------------------------------
commit 0e5f9847279e61c6c0bbd34754e2f28e56e63f92
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Mon Jan 25 09:59:47 2010 +0300
we should drop ';' at the end or we get incorrect code
diff --git a/lib/RT/Test.pm b/lib/RT/Test.pm
index 5615324..12b12ba 100644
--- a/lib/RT/Test.pm
+++ b/lib/RT/Test.pm
@@ -282,10 +282,10 @@ sub set_config_wrapper {
open my $fh, '>>', $tmp{'config'}{'RT'}
or die "Couldn't open config file: $!";
require Data::Dumper;
+ my $dump = Data::Dumper::Dumper([@_[2 .. $#_]]);
+ $dump =~ s/;\s+$//;
print $fh
- "\nSet(${sigil}${name}, \@{"
- . Data::Dumper::Dumper([@_[2 .. $#_]])
- ."}); 1;\n";
+ "\nSet(${sigil}${name}, \@{". $dump ."}); 1;\n";
close $fh;
if ( @SERVERS ) {
commit 1a9987fa09cbea4b0243e5e0758f68aa14453b5b
Author: Ruslan Zakirov <ruz at bestpractical.com>
Date: Mon Jan 25 21:31:18 2010 +0300
improve LinkValueTo and return back functionality
* if LinkValueTo starts with __CustomField__ then don't
escape it, but make sure it's not a JS link
* we must escape links using HTML escaping
* don't check CF's LinkValueTo, just call value's method
* don't wrap if link is empty
diff --git a/lib/RT/ObjectCustomFieldValue_Overlay.pm b/lib/RT/ObjectCustomFieldValue_Overlay.pm
index ce1a5a1..62742f1 100644
--- a/lib/RT/ObjectCustomFieldValue_Overlay.pm
+++ b/lib/RT/ObjectCustomFieldValue_Overlay.pm
@@ -248,6 +248,23 @@ sub _FillInTemplateURL {
my $self = shift;
my $url = shift;
+ return undef unless defined $url && length $url;
+
+ # special case, whole value should be an URL
+ if ( $url =~ /^__CustomField__/ ) {
+ my $value = $self->Content;
+ # protect from javascript: URLs
+ if ( $value =~ /^\s*javascript:/i ) {
+ my $object = $self->Object;
+ $RT::Logger->error(
+ "Dangerouse value with JavaScript in custom field '". $self->CustomFieldObj->Name ."'"
+ ." on ". ref($object) ." #". $object->id
+ );
+ return undef;
+ }
+ $url =~ s/^__CustomField__/$value/;
+ }
+
# default value, uri-escape
for my $key (keys %placeholders) {
$url =~ s{__${key}__}{
diff --git a/share/html/Elements/ShowCustomFields b/share/html/Elements/ShowCustomFields
index ddb8b72..676606f 100644
--- a/share/html/Elements/ShowCustomFields
+++ b/share/html/Elements/ShowCustomFields
@@ -82,9 +82,10 @@ $m->callback(
my $print_value = sub {
my ($cf, $value) = @_;
- my $linked = $cf->LinkValueTo;
- if ( $linked ) {
- $m->out('<a href="'. $value->LinkValueTo .'" target="_new">');
+ my $linked = $value->LinkValueTo;
+ if ( defined $linked && length $linked ) {
+ my $linked = $m->interp->apply_escapes( $linked, 'h' );
+ $m->out('<a href="'. $linked .'" target="_new">');
}
my $comp = "ShowCustomField". $cf->Type;
$m->callback(
@@ -98,7 +99,7 @@ my $print_value = sub {
} else {
$m->out( $m->interp->apply_escapes( $value->Content, 'h' ) );
}
- $m->out('</a>') if $linked;
+ $m->out('</a>') if defined $linked && length $linked;
# This section automatically populates a div with the "IncludeContentForValue" for this custom
# field if it's been defined
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list