This commit was generated by cvs2svn to compensate for changes in r9232,

which included commits to RCS files with non-trunk default branches.

1 files changed, 31 insertions, 0 deletions

diff --git a/rt/lib/RT/ObjectCustomFieldValue_Overlay.pm b/rt/lib/RT/ObjectCustomFieldValue_Overlay.pm
index 37ad0567b..62742f182 100644
--- a/rt/lib/RT/ObjectCustomFieldValue_Overlay.pm
+++ b/rt/lib/RT/ObjectCustomFieldValue_Overlay.pm
@@ -150,6 +150,20 @@ sub LoadByObjectContentAndCustomField {
     );
 }
 
+=head2 CustomFieldObj
+
+Returns the CustomField Object which has the id returned by CustomField
+
+=cut
+
+sub CustomFieldObj {
+    my $self = shift;
+    my $CustomField = RT::CustomField->new( $self->CurrentUser );
+    $CustomField->SetContextObject( $self->Object );
+    $CustomField->Load( $self->__Value('CustomField') );
+    return $CustomField;
+}
+
 
 =head2 Content
 
@@ -234,6 +248,23 @@ sub _FillInTemplateURL {
     my $self = shift;
     my $url = shift;
 
+    return undef unless defined $url && length $url;
+
+    # special case, whole value should be an URL
+    if ( $url =~ /^__CustomField__/ ) {
+        my $value = $self->Content;
+        # protect from javascript: URLs
+        if ( $value =~ /^\s*javascript:/i ) {
+            my $object = $self->Object;
+            $RT::Logger->error(
+                "Dangerouse value with JavaScript in custom field '". $self->CustomFieldObj->Name ."'"
+                ." on ". ref($object) ." #". $object->id
+            );
+            return undef;
+        }
+        $url =~ s/^__CustomField__/$value/;
+    }
+
     # default value, uri-escape
     for my $key (keys %placeholders) {
         $url =~ s{__${key}__}{