backport from 3.3-TESTING to fix XSS on ticket lists

diff --git a/rt/html/Elements/CollectionAsTable/Row b/rt/html/Elements/CollectionAsTable/Row
index 926317b..701966f 100644 (file)
--- a/rt/html/Elements/CollectionAsTable/Row
+++ b/rt/html/Elements/CollectionAsTable/Row
@@ -54,9 +54,16 @@ foreach my $column (@Format) {
             my $value = $m->comp('/Elements/RT__Ticket/ColumnMap', Name => $col, Attr => 'value');
 
             if ( $value && ref($value)) {
             my $value = $m->comp('/Elements/RT__Ticket/ColumnMap', Name => $col, Attr => 'value');
 
             if ( $value && ref($value)) {

-                $m->out( &{ $value } ( $record, $i ) );
+               # All HTML snippets are returned by the callback function
+               # as scalar references.  Data fetched from the objects are
+               # plain scalars, and needs to be escaped properly.
+               $m->out( 
+                   map { ref($_) ? $$_ : $m->interp->apply_escapes( $_ => 'h' ) }
+                   &{ $value } ( $record, $i )
+               );

             } else {
             } else {

-                $m->out($value );
+               # Simple value; just escape it.
+                $m->out( $m->interp->apply_escapes( $value => 'h' ) );

             }
         }
         else {
             }
         }
         else {