diff options
| -rw-r--r-- | rt/lib/RT/Interface/Web.pm | 11 | ||||
| -rw-r--r-- | rt/sbin/rt-email-dashboards.in | 6 |
2 files changed, 14 insertions, 3 deletions
diff --git a/rt/lib/RT/Interface/Web.pm b/rt/lib/RT/Interface/Web.pm index aafca1a75..61c06acb2 100644 --- a/rt/lib/RT/Interface/Web.pm +++ b/rt/lib/RT/Interface/Web.pm @@ -1035,6 +1035,17 @@ our %is_whitelisted_component = ( # information for the search. Because it's a straight-up read, in # addition to embedding its own auth, it's fine. '/NoAuth/rss/dhandler' => 1, + + # IE doesn't send referer in window.open() + # besides, as a harmless calendar select page, it's fine + '/Helpers/CalPopup.html' => 1, + + # While both of these can be used for denial-of-service against RT + # (construct a very inefficient query and trick lots of users into + # running them against RT) it's incredibly useful to be able to link + # to a search result or bookmark a result page. + '/Search/Results.html' => 1, + '/Search/Simple.html' => 1, ); sub IsCompCSRFWhitelisted { diff --git a/rt/sbin/rt-email-dashboards.in b/rt/sbin/rt-email-dashboards.in index 0b3686aa8..2323a5ebc 100644 --- a/rt/sbin/rt-email-dashboards.in +++ b/rt/sbin/rt-email-dashboards.in @@ -384,9 +384,9 @@ sub get_from { autohandler_name => '', # disable forced login and more data_dir => $data_dir, ); - $mason->interp->set_escape( h => \&RT::Interface::Web::EscapeUTF8 ); - $mason->interp->set_escape( u => \&RT::Interface::Web::EscapeURI ); - $mason->interp->set_escape( j => \&RT::Interface::Web::EscapeJS ); + $mason->set_escape( h => \&RT::Interface::Web::EscapeUTF8 ); + $mason->set_escape( u => \&RT::Interface::Web::EscapeURI ); + $mason->set_escape( j => \&RT::Interface::Web::EscapeJS ); } return $mason; } |