0012234: XSS issues when using custom field String values

ID	Project	Category	View Status	Date Submitted	Last Update
0012234	mantisbt	security	public	2010-08-04 15:54	2011-08-02 12:35

Reporter	atrol	Assigned To	dhx
Priority	high	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.2
Fixed in Version	1.2.3

Summary	0012234: XSS issues when using custom field String values
Description	Scripting code entered in custom field String is executed when displaying HTML-Report
Steps To Reproduce	Add a custom field with type String to a project Add the column to the "Print Issues Columns" Enter an issue with scripting code in custom field Select "View Issues" Select "Print Reports" Click on the IE icon See your code beeing executed
Tags	No tags attached.

dhx 2010-08-05 04:16 reporter ~0026219	I cannot reproduce this problem with the latest 1.2.x and 1.3.x releases. Perhaps this is a duplicate of 0012232 which I fixed yesterday?

atrol 2010-08-05 05:56 developer ~0026221	I don't think it's a duplicate bececause 0012232 fixes a problem with enumeration values. This one is for string values. I had a short look at your patch. Maybe this fixed also this problem because you changed function cfdef_input_textbox. The next few days I will try a nightly build and give you feedback.

dhx 2010-08-05 09:58 reporter ~0026223	Yep I didn't just fix enumeration values... I fixed them all. So I guess I fixed the same issue you came across too :)

atrol 2010-08-05 11:39 developer ~0026227	Checked with nightly build http://www.mantisbt.org/builds/mantisbt-1.2.2-2010-08-05-master-1.2.x-9fc1dd8.zip String problem is also fixed Thank you