[Secureideas-base-devel] [ secureideas-Bugs-2874199 ] Changing packet display type shows error mess
Brought to you by:
secureideas,
sinukas
From: Randal T. R. <ra...@pr...> - 2009-11-21 04:00:55
|
In reference to the following bug report: SourceForge.net wrote: > Bugs item #2874199, was opened at 2009-10-07 16:49 Message generated > for change (Comment added) made by jleising You can respond by > visiting: > https://sourceforge.net/tracker/?func=detail&atid=635582&aid=2874199&group_id=103348 > > > Please note that this message will contain a full copy of the comment > thread, including the initial issue submission, for this request, not > just the latest update. Category: Interface Group: BASE Status: Open > Resolution: None Priority: 7 Private: No Submitted By: > Nobody/Anonymous (nobody) Assigned to: Randal Rioux (rrioux) Summary: > Changing packet display type shows error message > > Initial Comment: When changing the packet display type (Normal > Display or Plain Display), and error is shown with version 1.4.4: > > invalid (sid,cid) pair (,) > > Clicking [Back] shows the correct display. Juergen said: > this problem has been introduced by > > http://secureideas.cvs.sourceforge.net/viewvc/secureideas/base-php4/base_qry_alert.php?r1=1.61&r2=1.62 > > > You can fix it by removing urlencode() when its argument is $query. > > However, this reverts the fix for some of those XSS flaws. Now, I'm no expert on XSS (finally bought a book on it!), but I think we're better off with a working function than a broken one that is highly unlikely to be taken advantage of on properly secured networks. Before the next version, I'd like this code to work. Does anyone else have a suggestion? I've tried other string-cleaning functions but none so far work (something is off here). Thanks! Randy |