From: <gi...@ma...> - 2009-12-01 06:28:16
|
The branch, master-1.2.x has been updated via ee7ee6d4f699abe405ea2dc56105be6e7e83105f (commit) from 194099694d91c775739b4cf2926829fb95ab3f07 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit ee7ee6d4f699abe405ea2dc56105be6e7e83105f Author: David Hicks <hic...@op...> Date: Tue Dec 1 17:27:16 2009 +1100 Fix #11241: XSS on manage_proj_page.php with user Real Name field Categories that are assigned to users whose names contain "<script>alert(42);</script>" will cause a XSS bug on manage_proj_page.php. The user real name needs to be sanitised before being printed. ----------------------------------------------------------------------- Summary of changes: manage_proj_page.php | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) ----------------------------------------------------------------------- commit ee7ee6d4f699abe405ea2dc56105be6e7e83105f Author: David Hicks <hic...@op...> Date: Tue Dec 1 17:27:16 2009 +1100 Fix #11241: XSS on manage_proj_page.php with user Real Name field Categories that are assigned to users whose names contain "<script>alert(42);</script>" will cause a XSS bug on manage_proj_page.php. The user real name needs to be sanitised before being printed. diff --git a/manage_proj_page.php b/manage_proj_page.php index 823e44b..b9f1ac0 100644 --- a/manage_proj_page.php +++ b/manage_proj_page.php @@ -201,7 +201,7 @@ <?php echo string_display( category_full_name( $t_category['id'], false ) ) ?> </td> <td> - <?php echo $t_user_name ?> + <?php echo string_display_line( $t_user_name ) ?> </td> <td class="center"> <?php ----------------------------------------------------------------------- -- Mantis Bug Tracker |