View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0012234||mantisbt||security||public||2010-08-04 15:54||2011-08-02 12:35|
|Target Version||Fixed in Version||1.2.3|
|Summary||0012234: XSS issues when using custom field String values|
Scripting code entered in custom field String is executed when displaying HTML-Report
|Steps To Reproduce|
|Tags||No tags attached.|
I cannot reproduce this problem with the latest 1.2.x and 1.3.x releases.
Perhaps this is a duplicate of 0012232 which I fixed yesterday?
I don't think it's a duplicate bececause 0012232 fixes a problem with enumeration values. This one is for string values. I had a short look at your patch. Maybe this fixed also this problem because you changed function cfdef_input_textbox.
Yep I didn't just fix enumeration values... I fixed them all.
So I guess I fixed the same issue you came across too :)
Checked with nightly build http://www.mantisbt.org/builds/mantisbt-1.2.2-2010-08-05-master-1.2.x-9fc1dd8.zip
|2010-08-04 15:54||atrol||New Issue|
|2010-08-04 15:57||jreese||Assigned To||=> dhx|
|2010-08-04 15:57||jreese||Status||new => assigned|
|2010-08-05 04:16||dhx||Note Added: 0026219|
|2010-08-05 05:56||atrol||Note Added: 0026221|
|2010-08-05 09:58||dhx||Note Added: 0026223|
|2010-08-05 11:39||atrol||Note Added: 0026227|
|2010-08-05 11:39||atrol||Status||assigned => resolved|
|2010-08-05 11:39||atrol||Fixed in Version||=> 1.2.3|
|2010-08-05 11:39||atrol||Resolution||open => fixed|
|2010-08-05 18:37||dhx||View Status||private => public|
|2011-08-02 12:35||dregad||Status||resolved => closed|