Commit 1a9987fa authored by Ruslan Zakirov's avatar Ruslan Zakirov
Browse files

improve LinkValueTo and return back functionality

* if LinkValueTo starts with __CustomField__ then don't
  escape it, but make sure it's not a JS link
* we must escape links using HTML escaping
* don't check CF's LinkValueTo, just call value's method
* don't wrap if link is empty
parent 0e5f9847
......@@ -248,6 +248,23 @@ sub _FillInTemplateURL {
my $self = shift;
my $url = shift;
return undef unless defined $url && length $url;
# special case, whole value should be an URL
if ( $url =~ /^__CustomField__/ ) {
my $value = $self->Content;
# protect from javascript: URLs
if ( $value =~ /^\s*javascript:/i ) {
my $object = $self->Object;
$RT::Logger->error(
"Dangerouse value with JavaScript in custom field '". $self->CustomFieldObj->Name ."'"
." on ". ref($object) ." #". $object->id
);
return undef;
}
$url =~ s/^__CustomField__/$value/;
}
# default value, uri-escape
for my $key (keys %placeholders) {
$url =~ s{__${key}__}{
......
......@@ -82,9 +82,10 @@ $m->callback(
my $print_value = sub {
my ($cf, $value) = @_;
my $linked = $cf->LinkValueTo;
if ( $linked ) {
$m->out('<a href="'. $value->LinkValueTo .'" target="_new">');
my $linked = $value->LinkValueTo;
if ( defined $linked && length $linked ) {
my $linked = $m->interp->apply_escapes( $linked, 'h' );
$m->out('<a href="'. $linked .'" target="_new">');
}
my $comp = "ShowCustomField". $cf->Type;
$m->callback(
......@@ -98,7 +99,7 @@ my $print_value = sub {
} else {
$m->out( $m->interp->apply_escapes( $value->Content, 'h' ) );
}
$m->out('</a>') if $linked;
$m->out('</a>') if defined $linked && length $linked;
# This section automatically populates a div with the "IncludeContentForValue" for this custom
# field if it's been defined
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment