MantisBT: master-2.3 a1c71931

Author Committer Branch Timestamp Parent
dregad dregad master-2.3 2017-04-18 07:49 master-2.3 27b5b292
Affected Issues  0022742: CVE-2017-7897: XSS in timeline_inc.php (affects my_view_page.php and view_user_page.php)
Changeset

Fix XSS in timeline_inc.php

Use of $_SERVER['PHP_SELF'] and outputting it as-is allows an attacker
to inject arbitrary JavaScript as part of the URL.

Using SCRIPT_NAME and passing it through string_sanitize_url() instead
prevents the attack.

Fixes 0022742
Fixes https://github.com/mantisbt/mantisbt/pull/1094

mod - core/timeline_inc.php Diff File