2014-12-22 17:01 EST

View Issue Details Jump to Notes ] Wiki ]
IDProjectCategoryView StatusLast Update
0012234mantisbtsecuritypublic2011-08-02 12:35
Reporteratrol 
Assigned Todhx 
PriorityhighSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
Product Version1.2.2 
Target VersionFixed in Version1.2.3 
Summary0012234: XSS issues when using custom field String values
DescriptionScripting code entered in custom field String is executed when displaying HTML-Report
Steps To Reproduce1. Add a custom field with type String to a project
2. Add the column to the "Print Issues Columns"
3. Enter an issue with scripting code in custom field
4. Select "View Issues"
5. Select "Print Reports"
6. Click on the IE icon
7. See your code beeing executed
TagsNo tags attached.
Attached Files

- Relationships
+ Relationships

-  Notes
User avatar

~0026219

dhx (reporter)

I cannot reproduce this problem with the latest 1.2.x and 1.3.x releases.

Perhaps this is a duplicate of 0012232 which I fixed yesterday?
User avatar

~0026221

atrol (developer)

I don't think it's a duplicate bececause 0012232 fixes a problem with enumeration values. This one is for string values. I had a short look at your patch. Maybe this fixed also this problem because you changed function cfdef_input_textbox.
The next few days I will try a nightly build and give you feedback.
User avatar

~0026223

dhx (reporter)

Yep I didn't just fix enumeration values... I fixed them all.

So I guess I fixed the same issue you came across too :)
User avatar

~0026227

atrol (developer)

Checked with nightly build http://www.mantisbt.org/builds/mantisbt-1.2.2-2010-08-05-master-1.2.x-9fc1dd8.zip [^]
String problem is also fixed
Thank you
+  Notes

- Issue History
Date Modified Username Field Change
2010-08-04 15:54 atrol New Issue
2010-08-04 15:57 jreese Assigned To => dhx
2010-08-04 15:57 jreese Status new => assigned
2010-08-05 04:16 dhx Note Added: 0026219
2010-08-05 05:56 atrol Note Added: 0026221
2010-08-05 09:58 dhx Note Added: 0026223
2010-08-05 11:39 atrol Note Added: 0026227
2010-08-05 11:39 atrol Status assigned => resolved
2010-08-05 11:39 atrol Fixed in Version => 1.2.3
2010-08-05 11:39 atrol Resolution open => fixed
2010-08-05 18:37 dhx View Status private => public
2011-08-02 12:35 dregad Status resolved => closed
+ Issue History