View Issue Details

IDProjectCategoryView StatusLast Update
0011232mantisbtsecuritypublic2010-02-22 14:34
Reporterdhx Assigned Todhx  
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0 
Target Version1.2.0Fixed in Version1.2.0 
Summary0011232: XSS on summary_page.php with user Real Name field
Description

Set your real name in "My Account" to something including "<script>alert(42);</script>" and then go to summary_page.php

Assuming that your name would normally show on the page (ie. you're in one of the top lists) you'll see multiple alert() windows pop up.

TagsNo tags attached.

Relationships

child of 0011234 closeddhx user_ensure_realname_valid() is not checked on account_page.php 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master 810ae079

2009-12-01 00:25

dhx


Details Diff
Fix 0011232: XSS on summary_page.php with user Real Name field

User real names should be sanitised before being printed to
summary_page.php as it may be possible for the names to contain HTML
elements that allow for XSS attacks.
Affected Issues
0011232
mod - core/summary_api.php Diff File

MantisBT: master-1.2.x c23edbfb

2009-12-01 00:25

dhx


Details Diff
Fix 0011232: XSS on summary_page.php with user Real Name field

User real names should be sanitised before being printed to
summary_page.php as it may be possible for the names to contain HTML
elements that allow for XSS attacks.
Affected Issues
0011232
mod - core/summary_api.php Diff File