From c11c2a6c8192a8402f3a0434d58cf82d9b2fc4fc Mon Sep 17 00:00:00 2001
From: ivan <ivan>
Date: Mon, 20 Dec 2004 11:29:16 +0000
Subject: [PATCH] backport from 3.3-TESTING to fix XSS on ticket lists

---
 rt/html/Elements/CollectionAsTable/Row | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/rt/html/Elements/CollectionAsTable/Row b/rt/html/Elements/CollectionAsTable/Row
index 926317be9..701966fcc 100644
--- a/rt/html/Elements/CollectionAsTable/Row
+++ b/rt/html/Elements/CollectionAsTable/Row
@@ -54,9 +54,16 @@ foreach my $column (@Format) {
             my $value = $m->comp('/Elements/RT__Ticket/ColumnMap', Name => $col, Attr => 'value');
 
             if ( $value && ref($value)) {
-                $m->out( &{ $value } ( $record, $i ) );
+            	# All HTML snippets are returned by the callback function
+		# as scalar references.  Data fetched from the objects are
+		# plain scalars, and needs to be escaped properly.
+		$m->out( 
+		    map { ref($_) ? $$_ : $m->interp->apply_escapes( $_ => 'h' ) }
+		    &{ $value } ( $record, $i )
+	        );
             } else {
-                $m->out($value );
+		# Simple value; just escape it.
+                $m->out( $m->interp->apply_escapes( $value => 'h' ) );
             }
         }
         else {
-- 
2.11.0