X-Git-Url: http://git.freeside.biz/gitweb/?a=blobdiff_plain;f=rt%2Flib%2FRT%2FObjectCustomFieldValue_Overlay.pm;h=18db8bfb49b49475d518bf1b15b1991d29a61fb6;hb=d32f4c43b0fde5c18b8c2ee8f3d4cb9c6861a403;hp=403d216ce27f39790b055ba392a97a89e9f82e81;hpb=fc6209f398899f0211cfcedeb81a3cd65e04a941;p=freeside.git

diff --git a/rt/lib/RT/ObjectCustomFieldValue_Overlay.pm b/rt/lib/RT/ObjectCustomFieldValue_Overlay.pm
index 403d216ce..18db8bfb4 100644
--- a/rt/lib/RT/ObjectCustomFieldValue_Overlay.pm
+++ b/rt/lib/RT/ObjectCustomFieldValue_Overlay.pm
@@ -2,7 +2,7 @@
 #
 # COPYRIGHT:
 #
-# This software is Copyright (c) 1996-2011 Best Practical Solutions, LLC
+# This software is Copyright (c) 1996-2013 Best Practical Solutions, LLC
 #                                          <sales@bestpractical.com>
 #
 # (Except where explicitly superseded by other copyright notices)
@@ -175,6 +175,9 @@ content, try "LargeContent"
 sub Content {
     my $self = shift;
     my $content = $self->SUPER::Content;
+
+    return undef unless $self->CustomFieldObj->CurrentUserHasRight('SeeCustomField');
+
     if ( !(defined $content && length $content) && $self->ContentType && $self->ContentType eq 'text/plain' ) {
         return $self->LargeContent;
     } else {
@@ -253,11 +256,11 @@ sub _FillInTemplateURL {
     # special case, whole value should be an URL
     if ( $url =~ /^__CustomField__/ ) {
         my $value = $self->Content;
-        # protect from javascript: URLs
-        if ( $value =~ /^\s*javascript:/i ) {
+        # protect from potentially malicious URLs
+        if ( $value =~ /^\s*(?:javascript|data):/i ) {
             my $object = $self->Object;
             $RT::Logger->error(
-                "Dangerouse value with JavaScript in custom field '". $self->CustomFieldObj->Name ."'"
+                "Potentially dangerous URL type in custom field '". $self->CustomFieldObj->Name ."'"
                 ." on ". ref($object) ." #". $object->id
             );
             return undef;