From: <gi...@ma...> - 2009-12-01 06:11:27
|
The branch, master-1.2.x has been updated via 67ed4313c071d811c496d8dcd685b9106687b9c5 (commit) from b1f59933bdd822be0520055b5bbe2b7560d56a44 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 67ed4313c071d811c496d8dcd685b9106687b9c5 Author: David Hicks <hic...@op...> Date: Tue Dec 1 17:08:53 2009 +1100 Fix #11239: XSS on view_user_page.php with user Real Name field User real names aren't sanitised before display on view_user_page.php thus this leads to an XSS vulnerability. ----------------------------------------------------------------------- Summary of changes: view_user_page.php | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) ----------------------------------------------------------------------- commit 67ed4313c071d811c496d8dcd685b9106687b9c5 Author: David Hicks <hic...@op...> Date: Tue Dec 1 17:08:53 2009 +1100 Fix #11239: XSS on view_user_page.php with user Real Name field User real names aren't sanitised before display on view_user_page.php thus this leads to an XSS vulnerability. diff --git a/view_user_page.php b/view_user_page.php index 8e2ec81..82ef021 100644 --- a/view_user_page.php +++ b/view_user_page.php @@ -64,7 +64,7 @@ <?php echo lang_get( 'username' ) ?> </td> <td width="75%"> - <?php echo $u_username ?> + <?php echo string_display_line( $u_username ) ?> </td> </tr> @@ -98,7 +98,7 @@ if ( ! ( $t_can_manage || $t_can_see_realname ) ) { print error_string(ERROR_ACCESS_DENIED); } else { - echo $u_realname; + echo string_display_line( $u_realname ); } ?> </td> ----------------------------------------------------------------------- -- Mantis Bug Tracker |