From e2adc8711a01924a0ef85ceade6b3def1c9dcd17 Mon Sep 17 00:00:00 2001
From: "mkanat%bugzilla.org"
 <mkanat%bugzilla.org@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Mon, 18 Feb 2013 12:30:50 +0000
Subject: [PATCH] Bug 842063: HTML injection is possible using the bug alias
 r=dkl a=LpSolit

git-svn-id: svn://10.0.0.236/trunk@264756 18797224-902f-48f8-a5cc-f745e15eee43
---
 mozilla/webtools/bugzilla/.bzrrev                           | 2 +-
 .../bugzilla/template/en/default/bug/show-header.html.tmpl  | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/mozilla/webtools/bugzilla/.bzrrev b/mozilla/webtools/bugzilla/.bzrrev
index be193ca94ce..6fc11930536 100644
--- a/mozilla/webtools/bugzilla/.bzrrev
+++ b/mozilla/webtools/bugzilla/.bzrrev
@@ -1 +1 @@
-8583
\ No newline at end of file
+8584
\ No newline at end of file
diff --git a/mozilla/webtools/bugzilla/template/en/default/bug/show-header.html.tmpl b/mozilla/webtools/bugzilla/template/en/default/bug/show-header.html.tmpl
index 54d51dd4f3f..f67bbf2f88b 100644
--- a/mozilla/webtools/bugzilla/template/en/default/bug/show-header.html.tmpl
+++ b/mozilla/webtools/bugzilla/template/en/default/bug/show-header.html.tmpl
@@ -13,12 +13,14 @@
   # be overridden by the calling templates.
   #%]
 
+[% filtered_alias = bug.alias FILTER html %]
 [% filtered_desc = bug.short_desc FILTER html %]
-[% subheader = filtered_desc %]
 [% filtered_timestamp = bug.delta_ts FILTER time %]
+
+[% subheader = filtered_desc %]
 [% title = "$terms.Bug $bug.bug_id &ndash; " %]
 [% IF bug.alias != '' %]
-  [% title = title _ "($bug.alias) " %]
+  [% title = title _ "($filtered_alias) " %]
 [% END %]
 [% title = title _ filtered_desc %]
 [% yui = ['autocomplete', 'calendar'] %]