[Secureideas-base-devel] [ secureideas-Bugs-2874199 ] Changing packet display type shows error message

[Randal T. R. <ra...@pr...>]

In reference to the following bug report:

SourceForge.net wrote:
> Bugs item #2874199, was opened at 2009-10-07 16:49 Message generated
> for change (Comment added) made by jleising You can respond by
> visiting: 
> https://sourceforge.net/tracker/?func=detail&atid=635582&aid=2874199&group_id=103348
> 
> 
> Please note that this message will contain a full copy of the comment
> thread, including the initial issue submission, for this request, not
> just the latest update. Category: Interface Group: BASE Status: Open 
> Resolution: None Priority: 7 Private: No Submitted By:
> Nobody/Anonymous (nobody) Assigned to: Randal Rioux (rrioux) Summary:
> Changing packet display type shows error message
> 
> Initial Comment: When changing the packet display type (Normal
> Display or Plain Display), and error is shown with version 1.4.4:
> 
> invalid (sid,cid) pair (,)
> 
> Clicking [Back] shows the correct display.

Juergen said:

> this problem has been introduced by
> 
> http://secureideas.cvs.sourceforge.net/viewvc/secureideas/base-php4/base_qry_alert.php?r1=1.61&r2=1.62
> 
> 
> You can fix it by removing urlencode() when its argument is $query.
> 
> However, this reverts the fix for some of those XSS flaws.

Now, I'm no expert on XSS (finally bought a book on it!), but I think
we're better off with a working function than a broken one that is
highly unlikely to be taken advantage of on properly secured networks.

Before the next version, I'd like this code to work. Does anyone else
have a suggestion? I've tried other string-cleaning functions but none
so far work (something is off here).

Thanks!
Randy