RT#6226: security fix for customer notes

author: mark <mark> 2010-03-25 01:37:19 +0000
committer: mark <mark> 2010-03-25 01:37:19 +0000
commit: f6ad19602096411e6248750d840f0a6e2e0ee036 (patch)
tree: 9a8ab8bf169e2e938a022fdae5c8f274c06e87ba /FS/FS
parent: d2c621ec6c3d2edbd3d8b44600a92d6773ffa971 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/FS/FS/Mason.pm b/FS/FS/Mason.pm
index be16bbb27..4c8c808cd 100644
--- a/FS/FS/Mason.pm
+++ b/FS/FS/Mason.pm
@@ -70,6 +70,7 @@ if ( -e $addl_handler_use_file ) {
   use HTML::Entities;
   use HTML::TreeBuilder;
   use HTML::FormatText;
+  use HTML::Defang;
   use JSON;
   use MIME::Base64;
   use IO::Handle;
@@ -408,6 +409,8 @@ I<outbuf> should be set to a scalar reference in standalone mode.
 
 =cut
 
+my %defang_opts = ( attribs_to_callback => ['src'], attribs_callback => sub { 1 });
+
 sub mason_interps {
   my $mode = shift || 'apache';
   my %opt = @_;
@@ -451,6 +454,8 @@ sub mason_interps {
 
   $interp{out_method} = $opt{outbuf} if $mode eq 'standalone' && $opt{outbuf};
 
+  my $html_defang = new HTML::Defang (%defang_opts);
+
   my $fs_interp = new HTML::Mason::Interp (
     %interp,
     escape_flags => { 'js_string' => sub {
@@ -458,7 +463,10 @@ sub mason_interps {
                         ${$_[0]} =~ s/(['\\])/\\$1/g;
                         ${$_[0]} =~ s/\n/\\n/g;
                         ${$_[0]} = "'". ${$_[0]}. "'";
-                      }
+                      },
+                      'defang'    => sub {
+                        ${$_[0]} = $html_defang->defang(${$_[0]});
+                      },
                     },
     compiler     => HTML::Mason::Compiler::ToObject->new(
                       allow_globals        => [qw(%session)],
author	mark <mark>	2010-03-25 01:37:19 +0000
committer	mark <mark>	2010-03-25 01:37:19 +0000
commit	f6ad19602096411e6248750d840f0a6e2e0ee036 (patch)
tree	9a8ab8bf169e2e938a022fdae5c8f274c06e87ba /FS/FS
parent	d2c621ec6c3d2edbd3d8b44600a92d6773ffa971 (diff)