From e70abd21bab68b23488f7ef1ee2e693a3b365691 Mon Sep 17 00:00:00 2001
From: ivan <ivan>
Date: Tue, 18 May 2010 18:49:59 +0000
Subject: import rt 3.8.8

---
 rt/lib/RT/ObjectCustomFieldValue_Overlay.pm | 31 +++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

(limited to 'rt/lib/RT/ObjectCustomFieldValue_Overlay.pm')

diff --git a/rt/lib/RT/ObjectCustomFieldValue_Overlay.pm b/rt/lib/RT/ObjectCustomFieldValue_Overlay.pm
index 37ad0567b..62742f182 100644
--- a/rt/lib/RT/ObjectCustomFieldValue_Overlay.pm
+++ b/rt/lib/RT/ObjectCustomFieldValue_Overlay.pm
@@ -150,6 +150,20 @@ sub LoadByObjectContentAndCustomField {
     );
 }
 
+=head2 CustomFieldObj
+
+Returns the CustomField Object which has the id returned by CustomField
+
+=cut
+
+sub CustomFieldObj {
+    my $self = shift;
+    my $CustomField = RT::CustomField->new( $self->CurrentUser );
+    $CustomField->SetContextObject( $self->Object );
+    $CustomField->Load( $self->__Value('CustomField') );
+    return $CustomField;
+}
+
 
 =head2 Content
 
@@ -234,6 +248,23 @@ sub _FillInTemplateURL {
     my $self = shift;
     my $url = shift;
 
+    return undef unless defined $url && length $url;
+
+    # special case, whole value should be an URL
+    if ( $url =~ /^__CustomField__/ ) {
+        my $value = $self->Content;
+        # protect from javascript: URLs
+        if ( $value =~ /^\s*javascript:/i ) {
+            my $object = $self->Object;
+            $RT::Logger->error(
+                "Dangerouse value with JavaScript in custom field '". $self->CustomFieldObj->Name ."'"
+                ." on ". ref($object) ." #". $object->id
+            );
+            return undef;
+        }
+        $url =~ s/^__CustomField__/$value/;
+    }
+
     # default value, uri-escape
     for my $key (keys %placeholders) {
         $url =~ s{__${key}__}{
-- 
cgit v1.2.1