|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0012234||mantisbt||security||public||2010-08-04 15:54||2011-08-02 12:35|
|Target Version||Fixed in Version||1.2.3|
|Summary||0012234: XSS issues when using custom field String values|
|Description||Scripting code entered in custom field String is executed when displaying HTML-Report|
|Steps To Reproduce||1. Add a custom field with type String to a project|
2. Add the column to the "Print Issues Columns"
3. Enter an issue with scripting code in custom field
4. Select "View Issues"
5. Select "Print Reports"
6. Click on the IE icon
7. See your code beeing executed
|Tags||No tags attached.|
I cannot reproduce this problem with the latest 1.2.x and 1.3.x releases.
Perhaps this is a duplicate of 0012232 which I fixed yesterday?
I don't think it's a duplicate bececause 0012232 fixes a problem with enumeration values. This one is for string values. I had a short look at your patch. Maybe this fixed also this problem because you changed function cfdef_input_textbox.
The next few days I will try a nightly build and give you feedback.
Yep I didn't just fix enumeration values... I fixed them all.
So I guess I fixed the same issue you came across too :)
Checked with nightly build http://www.mantisbt.org/builds/mantisbt-1.2.2-2010-08-05-master-1.2.x-9fc1dd8.zip
String problem is also fixed
|2010-08-04 15:54||atrol||New Issue|
|2010-08-04 15:57||jreese||Assigned To||=> dhx|
|2010-08-04 15:57||jreese||Status||new => assigned|
|2010-08-05 04:16||dhx||Note Added: 0026219|
|2010-08-05 05:56||atrol||Note Added: 0026221|
|2010-08-05 09:58||dhx||Note Added: 0026223|
|2010-08-05 11:39||atrol||Note Added: 0026227|
|2010-08-05 11:39||atrol||Status||assigned => resolved|
|2010-08-05 11:39||atrol||Fixed in Version||=> 1.2.3|
|2010-08-05 11:39||atrol||Resolution||open => fixed|
|2010-08-05 18:37||dhx||View Status||private => public|
|2011-08-02 12:35||dregad||Status||resolved => closed|