From: <gi...@ma...> - 2009-12-01 06:35:28
|
The branch, master has been updated via a77662d5823e8710a8634a4fec28d4678dee1475 (commit) from 0aeb2ea2895d64c21de2f701cda3a92f9e8bc964 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit a77662d5823e8710a8634a4fec28d4678dee1475 Author: David Hicks <hic...@op...> Date: Tue Dec 1 17:34:21 2009 +1100 Fix #11242: XSS on manage_proj_edit_page.php with user Real Name field Categories that are assigned to users whose names contain "<script>alert(42);</script>" will cause a XSS bug on manage_proj_edit_page.php. The user real name needs to be sanitised before being printed. ----------------------------------------------------------------------- Summary of changes: manage_proj_edit_page.php | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) ----------------------------------------------------------------------- commit a77662d5823e8710a8634a4fec28d4678dee1475 Author: David Hicks <hic...@op...> Date: Tue Dec 1 17:34:21 2009 +1100 Fix #11242: XSS on manage_proj_edit_page.php with user Real Name field Categories that are assigned to users whose names contain "<script>alert(42);</script>" will cause a XSS bug on manage_proj_edit_page.php. The user real name needs to be sanitised before being printed. diff --git a/manage_proj_edit_page.php b/manage_proj_edit_page.php index e0c8272..b80cfda 100644 --- a/manage_proj_edit_page.php +++ b/manage_proj_edit_page.php @@ -357,7 +357,7 @@ if ( access_has_global_level ( config_get( 'delete_project_threshold' ) ) ) { ?> <?php echo string_display( category_full_name( $t_category['id'] , /* showProject */ $t_inherited, $f_project_id ) ) ?> </td> <td> - <?php echo $t_user_name ?> + <?php echo string_display_line( $t_user_name ) ?> </td> <td class="center"> <?php if ( !$t_inherited ) { ----------------------------------------------------------------------- -- Mantis Bug Tracker |