diff options
author | ivan <ivan> | 2004-12-20 11:29:16 +0000 |
---|---|---|
committer | ivan <ivan> | 2004-12-20 11:29:16 +0000 |
commit | c11c2a6c8192a8402f3a0434d58cf82d9b2fc4fc (patch) | |
tree | 2a4bffd6f4ab99c6c94a8bc3ce1011f6be9f8f30 /rt | |
parent | f7e1a877f69a8a144fc2da7a422c4e3f728321cb (diff) |
backport from 3.3-TESTING to fix XSS on ticket lists
Diffstat (limited to 'rt')
-rw-r--r-- | rt/html/Elements/CollectionAsTable/Row | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/rt/html/Elements/CollectionAsTable/Row b/rt/html/Elements/CollectionAsTable/Row index 926317be9..701966fcc 100644 --- a/rt/html/Elements/CollectionAsTable/Row +++ b/rt/html/Elements/CollectionAsTable/Row @@ -54,9 +54,16 @@ foreach my $column (@Format) { my $value = $m->comp('/Elements/RT__Ticket/ColumnMap', Name => $col, Attr => 'value'); if ( $value && ref($value)) { - $m->out( &{ $value } ( $record, $i ) ); + # All HTML snippets are returned by the callback function + # as scalar references. Data fetched from the objects are + # plain scalars, and needs to be escaped properly. + $m->out( + map { ref($_) ? $$_ : $m->interp->apply_escapes( $_ => 'h' ) } + &{ $value } ( $record, $i ) + ); } else { - $m->out($value ); + # Simple value; just escape it. + $m->out( $m->interp->apply_escapes( $value => 'h' ) ); } } else { |