MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0012309mantisbtsecuritypublic2010-08-30 02:552011-08-02 12:35
Reporteratrol 
Assigned Todhx 
PriorityhighSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.2 
Target Version1.2.3Fixed in Version1.2.3 
Summary0012309: XSS issues when viewing Summary page
DescriptionScripting code entered in summary field might be executed when displaying Summary page
Steps To Reproduce1. Enter an issue with scripting code in Summary field
2. View "Summary" page
3. See your code beeing executed if issue is displayed in list of longest open issues
TagsNo tags attached.
Attached Filespatch file icon issue12309.patch [^] (1,154 bytes) 2010-09-02 04:39 [Show Content]

- Relationships
related to 0012432closedgiallu XSS issues when viewing Summary page 

-  Notes
User avatar (0026511)
atrol (developer)
2010-08-30 02:59

Reminder sent to: dhx, jreese

Please have a look at the patch and if it's OK let it become part of next version.
User avatar (0026512)
dhx (reporter)
2010-08-30 03:07

Good find, thanks atrol.

The only comment I have is that I think we should be using string_display_line() instead of string_html_specialchars() for sanitising the summary. I can fix that up in your patch when I commit it.
User avatar (0026513)
atrol (developer)
2010-08-30 03:13
edited on: 2010-08-30 03:22

I changed it the same way like it's done for the list of most active issues.
If string_html_specialchars is the right way to do it, you have to change it twice.

User avatar (0026546)
atrol (developer)
2010-09-02 04:40

Updated patch to use string_display_line()
User avatar (0026547)
dhx (reporter)
2010-09-02 07:24

Thanks Roland, I've committed it at long last. Sorry for the delay!
User avatar (0026548)
dhx (reporter)
2010-09-02 07:27

That was your first patch? Congratulations! :)
User avatar (0026552)
atrol (developer)
2010-09-02 07:45

It's the second, first was 0012217 :)

- Related Changesets
MantisBT: master-1.2.x 085097fc
Timestamp: 2010-09-02 08:33:35
Author: atrol
Committer: dhx
Details ] Diff ]
Fix 0012309: XSS issues when viewing Summary page

Signed-off-by: David Hicks <hickseydr@optusnet.com.au>
mod - core/summary_api.php Diff ] File ]
MantisBT: master 61e90d06
Timestamp: 2010-09-02 08:33:35
Author: atrol
Committer: dhx
Details ] Diff ]
Fix 0012309: XSS issues when viewing Summary page

Signed-off-by: David Hicks <hickseydr@optusnet.com.au>
mod - core/summary_api.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2010-08-30 02:55 atrol New Issue
2010-08-30 02:57 atrol File Added: issue12309.patch
2010-08-30 02:59 atrol Note Added: 0026511
2010-08-30 03:07 dhx Note Added: 0026512
2010-08-30 03:07 dhx Assigned To => dhx
2010-08-30 03:07 dhx Status new => assigned
2010-08-30 03:13 atrol Note Added: 0026513
2010-08-30 03:22 atrol Note Edited: 0026513 View Revisions
2010-09-02 04:39 atrol File Deleted: issue12309.patch
2010-09-02 04:39 atrol File Added: issue12309.patch
2010-09-02 04:40 atrol Note Added: 0026546
2010-09-02 07:24 dhx Changeset attached => MantisBT master-1.2.x 085097fc
2010-09-02 07:24 dhx Resolution open => fixed
2010-09-02 07:24 dhx Fixed in Version => 1.2.3
2010-09-02 07:24 dhx Note Added: 0026547
2010-09-02 07:24 dhx Status assigned => resolved
2010-09-02 07:25 dhx Changeset attached => MantisBT master 61e90d06
2010-09-02 07:27 dhx Note Added: 0026548
2010-09-02 07:45 atrol Note Added: 0026552
2010-09-19 02:03 dhx View Status private => public
2010-10-07 05:46 giallu Issue cloned: 0012432
2010-10-07 05:46 giallu Relationship added related to 0012432
2011-08-02 12:35 dregad Status resolved => closed


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1086 seconds.
memory usage: 3,089 KB
Powered by Mantis Bugtracker