rt 3.8.14

2 files changed, 14 insertions, 3 deletions

diff --git a/rt/lib/RT/Interface/Web.pm b/rt/lib/RT/Interface/Web.pm
index aafca1a75..61c06acb2 100644
--- a/rt/lib/RT/Interface/Web.pm
+++ b/rt/lib/RT/Interface/Web.pm
@@ -1035,6 +1035,17 @@ our %is_whitelisted_component = (
     # information for the search.  Because it's a straight-up read, in
     # addition to embedding its own auth, it's fine.
     '/NoAuth/rss/dhandler' => 1,
+
+    # IE doesn't send referer in window.open()
+    # besides, as a harmless calendar select page, it's fine
+    '/Helpers/CalPopup.html' => 1,
+
+    # While both of these can be used for denial-of-service against RT
+    # (construct a very inefficient query and trick lots of users into
+    # running them against RT) it's incredibly useful to be able to link
+    # to a search result or bookmark a result page.
+    '/Search/Results.html' => 1,
+    '/Search/Simple.html'  => 1,
 );
 
 sub IsCompCSRFWhitelisted {
diff --git a/rt/sbin/rt-email-dashboards.in b/rt/sbin/rt-email-dashboards.in
index 0b3686aa8..2323a5ebc 100644
--- a/rt/sbin/rt-email-dashboards.in
+++ b/rt/sbin/rt-email-dashboards.in
@@ -384,9 +384,9 @@ sub get_from {
                 autohandler_name => '', # disable forced login and more
                 data_dir => $data_dir,
             );
-            $mason->interp->set_escape( h => \&RT::Interface::Web::EscapeUTF8 );
-            $mason->interp->set_escape( u => \&RT::Interface::Web::EscapeURI  );
-            $mason->interp->set_escape( j => \&RT::Interface::Web::EscapeJS   );
+            $mason->set_escape( h => \&RT::Interface::Web::EscapeUTF8 );
+            $mason->set_escape( u => \&RT::Interface::Web::EscapeURI  );
+            $mason->set_escape( j => \&RT::Interface::Web::EscapeJS   );
         }
         return $mason;
     }