MantisBT

View Issue Details Jump to Notes ] Wiki ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0012234mantisbtsecuritypublic2010-08-04 15:542011-08-02 12:35
Reporteratrol 
Assigned Todhx 
PriorityhighSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.2 
Target VersionFixed in Version1.2.3 
Summary0012234: XSS issues when using custom field String values
DescriptionScripting code entered in custom field String is executed when displaying HTML-Report
Steps To Reproduce1. Add a custom field with type String to a project
2. Add the column to the "Print Issues Columns"
3. Enter an issue with scripting code in custom field
4. Select "View Issues"
5. Select "Print Reports"
6. Click on the IE icon
7. See your code beeing executed
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
User avatar (0026219)
dhx (developer)
2010-08-05 04:16

I cannot reproduce this problem with the latest 1.2.x and 1.3.x releases.

Perhaps this is a duplicate of 0012232 which I fixed yesterday?
User avatar (0026221)
atrol (developer)
2010-08-05 05:56

I don't think it's a duplicate bececause 0012232 fixes a problem with enumeration values. This one is for string values. I had a short look at your patch. Maybe this fixed also this problem because you changed function cfdef_input_textbox.
The next few days I will try a nightly build and give you feedback.
User avatar (0026223)
dhx (developer)
2010-08-05 09:58

Yep I didn't just fix enumeration values... I fixed them all.

So I guess I fixed the same issue you came across too :)
User avatar (0026227)
atrol (developer)
2010-08-05 11:39

Checked with nightly build http://www.mantisbt.org/builds/mantisbt-1.2.2-2010-08-05-master-1.2.x-9fc1dd8.zip [^]
String problem is also fixed
Thank you

- Issue History
Date Modified Username Field Change
2010-08-04 15:54 atrol New Issue
2010-08-04 15:57 jreese Assigned To => dhx
2010-08-04 15:57 jreese Status new => assigned
2010-08-05 04:16 dhx Note Added: 0026219
2010-08-05 05:56 atrol Note Added: 0026221
2010-08-05 09:58 dhx Note Added: 0026223
2010-08-05 11:39 atrol Note Added: 0026227
2010-08-05 11:39 atrol Status assigned => resolved
2010-08-05 11:39 atrol Fixed in Version => 1.2.3
2010-08-05 11:39 atrol Resolution open => fixed
2010-08-05 18:37 dhx View Status private => public
2011-08-02 12:35 dregad Status resolved => closed


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.0684 seconds.
memory usage: 3,039 KB
Powered by Mantis Bugtracker