[Rt-commit] rt branch, 4.0/escape-more-menu-attributes, created. rt-4.0.10-58-g6fbfcb7

Thomas Sibley trs at bestpractical.com
Thu Feb 28 17:27:51 EST 2013 

The branch, 4.0/escape-more-menu-attributes has been created
        at  6fbfcb7fb0a69d474f94d942c581df0239215256 (commit)

- Log -----------------------------------------------------------------
commit 6fbfcb7fb0a69d474f94d942c581df0239215256
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Thu Feb 28 14:06:47 2013 -0800

    Escape menu URLs, targets, and IDs when generating HTML
    
    Using proper escaping is simply a precaution in this case.  None of the
    unescaped interpolation is actually reachable for malicious purposes.
    
    Notably, menu item ->path values are appropriately sanitized thanks to
    being passed through URI.pm in RT::Interface::Web::Menu.  Targets and
    IDs are not used with user-input.
    
    The escaping is bulletproofing, and there's no reason not to.

diff --git a/share/html/Elements/Menu b/share/html/Elements/Menu
index 23481c2..b2a2fb6 100644
--- a/share/html/Elements/Menu
+++ b/share/html/Elements/Menu
@@ -61,8 +61,8 @@
 % if ($child->raw_html) {
 <% $child->raw_html |n %>
 % } else {
-% my $url = (not $child->path or $child->path =~ m{^\w+:/}) ? $child->path : RT->Config->Get('WebPath').$child->path;
-<a id="<%$item_id%>" class="menu-item <% $child->class || '' %>"<% $child->path ? ' href="'.$url.'"' : '' |n%><% $child->target ? ' target="'.$child->target.'"' : '' |n %>>\
+% my $url = $m->interp->apply_escapes((not $child->path or $child->path =~ m{^\w+:/}) ? $child->path : RT->Config->Get('WebPath').$child->path, 'h');
+<a id="<%$item_id%>" class="menu-item <% $child->class || '' %>"<% $child->path ? ' href="'.$url.'"' : '' |n%><% $child->target ? ' target="'.$m->interp->apply_escapes($child->target, 'h').'"' : '' |n %>>\
 <% $child->escape_title ? $m->interp->apply_escapes($child->title, 'h') : $child->title |n %>\
 </a>\
 % }
@@ -82,3 +82,6 @@ $toplevel => 1
 $parent_id => ''
 $depth => 0
 </%ARGS>
+<%init>
+$id = $m->interp->apply_escapes($id, 'h');
+</%init>

-----------------------------------------------------------------------

More information about the Rt-commit mailing list