From: Paul <pa...@qu...> - 2007-03-27 21:57:38
|
This patch should be reverted imo. String_display already calls htmlspecialchars + others function string_display( $p_string ) { $p_string = string_strip_hrefs( $p_string ); $p_string = string_html_specialchars( $p_string ); $p_string = string_restore_valid_html_tags( $p_string ); $p_string = string_preserve_spaces_at_bol( $p_string ); $p_string = string_nl2br( $p_string ); Whats the purpose of this ? Am i missing something? Paul -----Original Message----- From: man...@li... [mailto:man...@li...] On Behalf Of zakman Sent: 23 March 2007 22:56 To: man...@li... Subject: [mantisbt-cvs] mantisbt adm_config_report.php,1.6,1.7 Update of /cvsroot/mantisbt/mantisbt In directory sc8-pr-cvs7.sourceforge.net:/tmp/cvs-serv29617 Modified Files: adm_config_report.php Log Message: Fixed: 0007545: config values are not escaped Index: adm_config_report.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/adm_config_report.php,v retrieving revision 1.6 retrieving revision 1.7 diff -u -d -r1.6 -r1.7 --- adm_config_report.php 6 Mar 2007 07:05:18 -0000 1.6 +++ adm_config_report.php 23 Mar 2007 22:55:55 -0000 1.7 @@ -1,4 +1,4 @@ -<?php +CONFIG_TYPE_STRING<?php # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - ke...@30... # Copyright (C) 2002 - 2006 Mantis Team - man...@li... @@ -41,7 +41,7 @@ return; case CONFIG_TYPE_STRING: $t_value = config_eval( $p_value ); - echo "'" . string_display( $t_value ) . "'"; + echo htmlspecialchars( "'$t_value'" ); return; case CONFIG_TYPE_COMPLEX: $t_value = unserialize( $p_value ); ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ mantisbt-cvs mailing list man...@li... https://lists.sourceforge.net/lists/listinfo/mantisbt-cvs |