[Mantisbt-cvs] mantisbt print_bug_page.php,1.56,1.57 print_all_bug_page.php,1.83,1.84 manage_proj_edit_page.php,1.92,1.93 manage_proj_create.php,1.7,1.8 manage_config_workflow_page.php,1.16,1.17 manage_config_work_threshold_page.php,1.11,1.12 manage_config_email_page.php,1.8,1.9 changelog_page.php,1.16,1.17 bug_view_page.php,1.77,1.78 bug_view_advanced_page.php,1.76,1.77

[Glenn H. <thr...@us...>]

Update of /cvsroot/mantisbt/mantisbt
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv21463

Modified Files:
	print_bug_page.php print_all_bug_page.php 
	manage_proj_edit_page.php manage_proj_create.php 
	manage_config_workflow_page.php 
	manage_config_work_threshold_page.php 
	manage_config_email_page.php changelog_page.php 
	bug_view_page.php bug_view_advanced_page.php 
Log Message:
fix for 0006546: Port #6544: XSS Vulnerability in project name (TKADV2005-11-002)
 - Prevent HTML or scripts from being embedded in project name
 - Remove unwarranted HTML from project name


Index: manage_config_workflow_page.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/manage_config_workflow_page.php,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -d -r1.16 -r1.17
--- manage_config_workflow_page.php	31 Aug 2005 22:49:46 -0000	1.16
+++ manage_config_workflow_page.php	1 Jan 2006 02:56:39 -0000	1.17
@@ -398,7 +398,7 @@
 	if ( ALL_PROJECTS == $t_project ) {
 	    $t_project_title = lang_get( 'config_all_projects' );
 	} else {
-	    $t_project_title = sprintf( lang_get( 'config_project' ) , project_get_name( $t_project ) );
+	    $t_project_title = sprintf( lang_get( 'config_project' ) , string_display( project_get_name( $t_project ) ) );
 	}
 	echo '<p class="bold">' . $t_project_title . '</p>' . "\n";
 	echo '<p>' . lang_get( 'colour_coding' ) . '<br />';

Index: changelog_page.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/changelog_page.php,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -d -r1.16 -r1.17
--- changelog_page.php	29 Oct 2005 10:10:53 -0000	1.16
+++ changelog_page.php	1 Jan 2006 02:56:39 -0000	1.17
@@ -21,7 +21,7 @@
 		$t_version_name = version_get_field( $p_version_id, 'version' );
 		$t_project_name = project_get_field( $t_project_id, 'name' );
 
-		$t_release_title = $t_project_name . ' - ' . $t_version_name;
+		$t_release_title = string_display( $t_project_name ) . ' - ' . string_display( $t_version_name );
 		echo $t_release_title, '<br />';
 		echo str_pad( '', strlen( $t_release_title ), '=' ), '<br />';
 
@@ -74,7 +74,7 @@
 
 		$t_version_rows = version_get_all_rows( $t_project_id );
 
-		echo '<br /><span class="pagetitle">', $t_project_name, ' - ', lang_get( 'changelog' ), '</span><br /><br />';
+		echo '<br /><span class="pagetitle">', string_display( $t_project_name ), ' - ', lang_get( 'changelog' ), '</span><br /><br />';
 		echo '<tt>';
 
 		$i = 0;

Index: print_all_bug_page.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/print_all_bug_page.php,v
retrieving revision 1.83
retrieving revision 1.84
diff -u -d -r1.83 -r1.84
--- print_all_bug_page.php	24 May 2005 23:22:48 -0000	1.83
+++ print_all_bug_page.php	1 Jan 2006 02:56:39 -0000	1.84
@@ -79,7 +79,7 @@
 
 <table class="width100"><tr><td class="form-title">
 	<div class="center">
-		<?php echo config_get( 'window_title' ) . ' - ' . project_get_name( $t_project_id ); ?>
+		<?php echo config_get( 'window_title' ) . ' - ' . string_display( project_get_name( $t_project_id ) ); ?>
 	</div>
 </td></tr></table>
 

Index: bug_view_advanced_page.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/bug_view_advanced_page.php,v
retrieving revision 1.76
retrieving revision 1.77
diff -u -d -r1.76 -r1.77
--- bug_view_advanced_page.php	10 Aug 2005 19:59:13 -0000	1.76
+++ bug_view_advanced_page.php	1 Jan 2006 02:56:40 -0000	1.77
@@ -144,7 +144,7 @@
 	<!-- Category -->
 	<td>
 		<?php
-			$t_project_name = project_get_field( $t_bug->project_id, 'name' );
+			$t_project_name = string_display( project_get_field( $t_bug->project_id, 'name' ) );
 			echo "[$t_project_name] $t_bug->category";
 		?>
 	</td>

Index: manage_config_email_page.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/manage_config_email_page.php,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -d -r1.8 -r1.9
--- manage_config_email_page.php	16 Jul 2005 01:46:03 -0000	1.8
+++ manage_config_email_page.php	1 Jan 2006 02:56:39 -0000	1.9
@@ -229,7 +229,7 @@
 	    if ( ALL_PROJECTS == $t_project ) {
 	        $t_project_title = lang_get( 'config_all_projects' );
 	    } else {
-	        $t_project_title = sprintf( lang_get( 'config_project' ) , project_get_name( $t_project ) );
+	        $t_project_title = sprintf( lang_get( 'config_project' ) , string_display( project_get_name( $t_project ) ) );
 	    }
 	    echo '<p class="bold">' . $t_project_title . '</p>' . "\n";
 	    echo '<p>' . lang_get( 'colour_coding' ) . '<br />';

Index: bug_view_page.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/bug_view_page.php,v
retrieving revision 1.77
retrieving revision 1.78
diff -u -d -r1.77 -r1.78
--- bug_view_page.php	10 Aug 2005 19:59:13 -0000	1.77
+++ bug_view_page.php	1 Jan 2006 02:56:40 -0000	1.78
@@ -146,7 +146,7 @@
 	<!-- Category -->
 	<td>
 		<?php
-			$t_project_name = project_get_field( $t_bug->project_id, 'name' );
+			$t_project_name = string_display( project_get_field( $t_bug->project_id, 'name' ) );
 			echo "[$t_project_name] $t_bug->category";
 		?>
 	</td>

Index: print_bug_page.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/print_bug_page.php,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -d -r1.56 -r1.57
--- print_bug_page.php	10 Aug 2005 20:07:01 -0000	1.56
+++ print_bug_page.php	1 Jan 2006 02:56:39 -0000	1.57
@@ -65,7 +65,7 @@
 <table class="width100" cellspacing="1">
 <tr>
 	<td class="form-title" colspan="6">
-		<div class="center"><?php echo config_get( 'window_title' ) . ' - ' . project_get_name( $v_project_id ) ?></div>
+		<div class="center"><?php echo config_get( 'window_title' ) . ' - ' . string_display( project_get_name( $v_project_id ) ) ?></div>
 	</td>
 </tr>
 <tr>

Index: manage_config_work_threshold_page.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/manage_config_work_threshold_page.php,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -d -r1.11 -r1.12
--- manage_config_work_threshold_page.php	1 Aug 2005 13:42:55 -0000	1.11
+++ manage_config_work_threshold_page.php	1 Jan 2006 02:56:39 -0000	1.12
@@ -242,7 +242,7 @@
 	if ( ALL_PROJECTS == $t_project_id ) {
 	    $t_project_title = lang_get( 'config_all_projects' );
 	} else {
-	    $t_project_title = sprintf( lang_get( 'config_project' ) , project_get_name( $t_project_id ) );
+	    $t_project_title = sprintf( lang_get( 'config_project' ) , string_display( project_get_name( $t_project_id ) ) );
 	}
 	echo '<p class="bold">' . $t_project_title . '</p>' . "\n";
 	echo '<p>' . lang_get( 'colour_coding' ) . '<br />';

Index: manage_proj_edit_page.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/manage_proj_edit_page.php,v
retrieving revision 1.92
retrieving revision 1.93
diff -u -d -r1.92 -r1.93
--- manage_proj_edit_page.php	26 Jul 2005 12:41:02 -0000	1.92
+++ manage_proj_edit_page.php	1 Jan 2006 02:56:39 -0000	1.93
@@ -244,7 +244,7 @@
                 continue;
 		}
 ?>
-				<option value="<?php echo $t_project['id'] ?>"><?php echo $t_project['name'] ?></option>
+				<option value="<?php echo $t_project['id'] ?>"><?php echo string_attribute( $t_project['name'] ) ?></option>
 <?php
 	} # End looping over projects
 ?>

Index: manage_proj_create.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/manage_proj_create.php,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -d -r1.7 -r1.8
--- manage_proj_create.php	13 Feb 2005 21:36:17 -0000	1.7
+++ manage_proj_create.php	1 Jan 2006 02:56:39 -0000	1.8
@@ -25,7 +25,7 @@
 	$f_status		= gpc_get_int( 'status' );
 	$f_file_path	= gpc_get_string( 'file_path', '' );
 
-	$t_project_id = project_create( $f_name, $f_description, $f_status, $f_view_state, $f_file_path );
+	$t_project_id = project_create( string_strip_tags( $f_name ), $f_description, $f_status, $f_view_state, $f_file_path );
 
 	if ( ( $f_view_state == VS_PRIVATE ) && ( false === current_user_is_administrator() ) ) {
 		$t_access_level = access_get_global_level();