launchpad-reviewers team mailing list archive

[Ian Booth <ian.booth@xxxxxxxxxxxxx>]

Ian Booth has proposed merging lp:~wallyworld/launchpad/duplicate-bug-warning-xss-1057630 into lp:launchpad.

Commit message:
Remove xss from bug duplicate links.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~wallyworld/launchpad/duplicate-bug-warning-xss-1057630/+merge/126849

Tweak the duplicate.js code to remove some XSS issues. 
-- 
https://code.launchpad.net/~wallyworld/launchpad/duplicate-bug-warning-xss-1057630/+merge/126849
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~wallyworld/launchpad/duplicate-bug-warning-xss-1057630 into lp:launchpad.

=== modified file 'lib/lp/bugs/javascript/duplicates.js'
--- lib/lp/bugs/javascript/duplicates.js	2012-09-21 02:51:51 +0000
+++ lib/lp/bugs/javascript/duplicates.js	2012-09-28 03:42:25 +0000
@@ -379,13 +379,13 @@
 
     // Create the informational message to go at the top of the bug tasks
     // table.
-    _duplicate_bug_info_message: function(dup_id, dup_title) {
+    _duplicate_bug_info_message: function(dup_id) {
         var info_template = [
             '<span class="bug-duplicate-details ellipsis ',
             'single-line wide">',
             '<span class="sprite info"></span>',
             'This bug report is a duplicate of:&nbsp;',
-            '<a href="/bugs/{dup_id}">Bug #{dup_id} {dup_title}</a></span>',
+            '<a id="duplicate-summary-top" href="/bugs/{dup_id}"></a></span>',
             '<a id="change-duplicate-bug-bugtasks"',
             '    href="+duplicate"',
             '    title="Edit or remove linked duplicate bug"',
@@ -396,18 +396,18 @@
             '    title="Remove linked duplicate bug"',
             '    class="sprite remove action-icon standalone ',
             '    remove-duplicate-bug">Remove</a>'].join(" ");
-        return Y.Lang.substitute(info_template, {
-            dup_id: dup_id,
-            dup_title: dup_title
-        });
+        return Y.Lang.substitute(info_template, {dup_id: dup_id});
     },
 
     // Render the duplicate message at the top of the bug tasks table.
     _show_bugtasks_duplicate_message: function(dup_id, dup_title) {
         var dupe_info = Y.one("#bug-is-duplicate");
         if (Y.Lang.isValue(dupe_info)) {
-            dupe_info.setContent(Y.Node.create(
-                this._duplicate_bug_info_message(dup_id, dup_title)));
+            var dup_message = Y.Node.create(
+                this._duplicate_bug_info_message(dup_id));
+            dup_message.one('#duplicate-summary-top')
+                .set('text', 'Bug #' + dup_id + ' ' + dup_title);
+            dupe_info.appendChild(dup_message);
         }
     },
 
@@ -430,9 +430,9 @@
      */
     _show_comment_on_duplicate_warning: function(bug_id, title) {
         var dupe_link = Y.Lang.substitute(
-            '<a title="{title}" id="duplicate-of-warning-link" ' +
+            '<a id="duplicate-of-warning-link" ' +
             'href="/bugs/{id}" style="margin-right: 4px">bug #{id}.</a>',
-            {id: bug_id, title: title});
+            {id: bug_id});
         var new_duplicate_warning = Y.Node.create(
             ['<div class="block-sprite large-warning"',
              'id="warning-comment-on-duplicate">',
@@ -441,6 +441,7 @@
              '<br/>Comment here only if you think the duplicate status ',
              'is wrong.',
              '</div>'].join(''));
+        new_duplicate_warning.setAttribute('title', title);
         var duplicate_warning = Y.one('#warning-comment-on-duplicate');
         if (!Y.Lang.isValue(duplicate_warning)) {
             var container = Y.one('#add-comment-form');