View Issue Details

IDProjectCategoryView StatusLast Update
0011397mantisbtsecuritypublic2010-02-22 14:34
Reporterdhx Assigned Todhx  
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0 
Target Version1.2.0Fixed in Version1.2.0 
Summary0011397: XSS with project names in relationship table
Description

A malicious project name containing Javascript will not be sanitised before being printed in the relationships table (the bug view page).

Relevant code from relationship_api.php:

# add project name
if( $p_show_project ) {
    $t_relationship_info_html .= $t_td . $t_related_project_name . ' </td>';
}
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-1.2.x 45a2b5c3

2010-01-15 04:27

dhx


Details Diff
Fix 0011397: XSS with project names in relationship table

A malicious project name containing Javascript is not sanitised before
being printed in the relationships table (the bug view page).
Affected Issues
0011397
mod - core/relationship_api.php Diff File

MantisBT: master 0995c231

2010-01-15 04:27

dhx


Details Diff
Fix 0011397: XSS with project names in relationship table

A malicious project name containing Javascript is not sanitised before
being printed in the relationships table (the bug view page).
Affected Issues
0011397
mod - core/relationship_api.php Diff File