From 421af1ed47a2b9a72c999876e6e17c7f621acb5f Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Tue, 16 Aug 2016 23:22:40 +0200
Subject: [PATCH] Fix XSS in view_all_bug_page.php

The value of the view_type parameter on the view_all_bug_page.php page
was not encoded before being displayed.

This vulnerability was discovered by Will Dollman of Netcraft Ltd.

Fixes #21611
---
 core/filter_api.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/core/filter_api.php b/core/filter_api.php
index c8e8eae..9294f64 100644
--- a/core/filter_api.php
+++ b/core/filter_api.php
@@ -489,9 +489,15 @@ function filter_ensure_valid_filter( array $p_filter_arr ) {
 		# if the version is old, update it
 		$p_filter_arr['_version'] = FILTER_VERSION;
 	}
+
+	# Filter type - ensure it's either 'simple' or 'advanced' (prevent XSS)
 	if( !isset( $p_filter_arr['_view_type'] ) ) {
 		$p_filter_arr['_view_type'] = gpc_get_string( 'view_type', 'simple' );
 	}
+	if( $p_filter_arr['_view_type'] != 'advanced' ) {
+		$p_filter_arr['_view_type'] = 'simple';
+	}
+
 	if( !isset( $p_filter_arr[FILTER_PROPERTY_ISSUES_PER_PAGE] ) ) {
 		$p_filter_arr[FILTER_PROPERTY_ISSUES_PER_PAGE] = gpc_get_int( FILTER_PROPERTY_ISSUES_PER_PAGE, config_get( 'default_limit_view' ) );
 	}
-- 
2.7.4