From: ivan <ivan>
Date: Mon, 20 Dec 2004 11:29:16 +0000 (+0000)
Subject: backport from 3.3-TESTING to fix XSS on ticket lists
X-Git-Tag: BEFORE_FINAL_MASONIZE~774
X-Git-Url: http://git.freeside.biz/gitweb/?p=freeside.git;a=commitdiff_plain;h=c11c2a6c8192a8402f3a0434d58cf82d9b2fc4fc

backport from 3.3-TESTING to fix XSS on ticket lists
---

diff --git a/rt/html/Elements/CollectionAsTable/Row b/rt/html/Elements/CollectionAsTable/Row
index 926317be9..701966fcc 100644
--- a/rt/html/Elements/CollectionAsTable/Row
+++ b/rt/html/Elements/CollectionAsTable/Row
@@ -54,9 +54,16 @@ foreach my $column (@Format) {
             my $value = $m->comp('/Elements/RT__Ticket/ColumnMap', Name => $col, Attr => 'value');
 
             if ( $value && ref($value)) {
-                $m->out( &{ $value } ( $record, $i ) );
+            	# All HTML snippets are returned by the callback function
+		# as scalar references.  Data fetched from the objects are
+		# plain scalars, and needs to be escaped properly.
+		$m->out( 
+		    map { ref($_) ? $$_ : $m->interp->apply_escapes( $_ => 'h' ) }
+		    &{ $value } ( $record, $i )
+	        );
             } else {
-                $m->out($value );
+		# Simple value; just escape it.
+                $m->out( $m->interp->apply_escapes( $value => 'h' ) );
             }
         }
         else {