MantisBT: master-1.2.x 05378e00

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-1.2.x 2014-11-27 14:15 master-1.2.x e5fc835a
Affected Issues  0017297: CVE-2014-9272: XSS in string_insert_hrefs allows script execution
Changeset

Fix 0017297: XSS in string_insert_hrefs

The URL matching regex in the function did not validate the protocol,
allowing an attacker to use 'javascript://' to execute arbitrary code.

Issue was discovered by Mathias Karlsson (http://mathiaskarlsson.me)
and reported by Offensive Security (http://www.offensive-security.com/).
mod - core/string_api.php Diff File