From 2b9c1ad16c063ec97a298b877631b75d8a6d5922 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 24 Mar 2017 17:02:07 +0100
Subject: [PATCH] Fix XSS in move_attachments_page.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Move Attachments admin page, allowing
an attacker to inject arbitrary code through a crafted 'type'
parameter.

Sanitize the 'type' parameter prior to output, to ensure HTML special
characters are properly escaped.

Fixes #22568
---
 admin/move_attachments_page.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/admin/move_attachments_page.php b/admin/move_attachments_page.php
index c7c806e..96dfe35 100644
--- a/admin/move_attachments_page.php
+++ b/admin/move_attachments_page.php
@@ -188,7 +188,7 @@ if( isset( $t_projects[ALL_PROJECTS] ) ) {
 	
 </table>
 <div class="widget-toolbox padding-8 clearfix">
-	<input name="type" type="hidden" value="<?php echo $f_file_type ?>" />
+	<input name="type" type="hidden" value="<?php echo string_attribute( $f_file_type); ?>" />
 	<input type="submit" class="btn btn-primary btn-white btn-round" value="Move Attachments" />
 </div>
 </div>
-- 
2.7.4