View Issue Details

IDProjectCategoryView StatusLast Update
0025749mantisbtbugtrackerpublic2019-08-25 12:36
Reporterdregad Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Target Version2.22.0Fixed in Version2.22.0 
Summary0025749: error_string() does not allow HTML tags inside of error messages
Description

Many of our language strings rely on sprintf() to insert dynamic parameters prior to output; several strings also include HTML tags (a, br, em, strong, etc).

Since 1.2.0a1, the error_string() API function sanitizes the resulting string (i.e. the language string after parameters substitution) via a htmlspecialchars() call to protect from potential XSS attacks (see 0008202). Consequently, the tags are escaped and the formatting is lost.

Considering that the language strings themselves are trusted input, we should only encode the parameters.

It would also make sense to authorize br tags without attributes within parameters.

TagsNo tags attached.

Relationships

related to 0008202 closedgrangeway Potential Cross-Site Scripting Flaws 

Activities

Related Changesets

MantisBT: master 3dada1bf

2019-05-09 11:32:27

dregad

Details Diff
error_string() allow HTML tags in lang string

Prior to this, HTML escaping was applied after parameter substitution,
on the whole string.

Now, the language string for the error message is considered trusted
input and is therefore not escaped; we only process the parameters,
allowing <br> tags, before they are inserted into the placeholders.

Fixes 0025749
Affected Issues
0025749
mod - core/error_api.php Diff File

Issue History

Date Modified Username Field Change
2019-05-09 10:16 dregad New Issue
2019-05-09 10:16 dregad Status new => assigned
2019-05-09 10:16 dregad Assigned To => dregad
2019-05-09 10:16 dregad Relationship added related to 0008202
2019-05-09 12:08 dregad Note Added: 0062048
2019-05-29 09:24 dregad Changeset attached => MantisBT master 3dada1bf
2019-05-29 09:24 dregad Status assigned => resolved
2019-05-29 09:24 dregad Resolution open => fixed
2019-05-29 09:24 dregad Fixed in Version => 2.22.0
2019-08-25 12:36 vboctor Status resolved => closed