View Issue Details

IDProjectCategoryView StatusLast Update
0012234mantisbtsecuritypublic2011-08-02 12:35
ReporteratrolAssigned Todhx 
Status closedResolutionfixed 
Product Version1.2.2 
Target VersionFixed in Version1.2.3 
Summary0012234: XSS issues when using custom field String values

Scripting code entered in custom field String is executed when displaying HTML-Report

Steps To Reproduce
  1. Add a custom field with type String to a project
  2. Add the column to the "Print Issues Columns"
  3. Enter an issue with scripting code in custom field
  4. Select "View Issues"
  5. Select "Print Reports"
  6. Click on the IE icon
  7. See your code beeing executed
TagsNo tags attached.




2010-08-05 04:16

reporter   ~0026219

I cannot reproduce this problem with the latest 1.2.x and 1.3.x releases.

Perhaps this is a duplicate of 0012232 which I fixed yesterday?



2010-08-05 05:56

developer   ~0026221

I don't think it's a duplicate bececause 0012232 fixes a problem with enumeration values. This one is for string values. I had a short look at your patch. Maybe this fixed also this problem because you changed function cfdef_input_textbox.
The next few days I will try a nightly build and give you feedback.



2010-08-05 09:58

reporter   ~0026223

Yep I didn't just fix enumeration values... I fixed them all.

So I guess I fixed the same issue you came across too :)



2010-08-05 11:39

developer   ~0026227

Checked with nightly build
String problem is also fixed
Thank you

Issue History

Date Modified Username Field Change
2010-08-04 15:54 atrol New Issue
2010-08-04 15:57 jreese Assigned To => dhx
2010-08-04 15:57 jreese Status new => assigned
2010-08-05 04:16 dhx Note Added: 0026219
2010-08-05 05:56 atrol Note Added: 0026221
2010-08-05 09:58 dhx Note Added: 0026223
2010-08-05 11:39 atrol Note Added: 0026227
2010-08-05 11:39 atrol Status assigned => resolved
2010-08-05 11:39 atrol Fixed in Version => 1.2.3
2010-08-05 11:39 atrol Resolution open => fixed
2010-08-05 18:37 dhx View Status private => public
2011-08-02 12:35 dregad Status resolved => closed