From 66091a42626631a3063774eb0fb8a4218ab22fd4 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Wed, 5 Sep 2018 01:39:06 +0200
Subject: [PATCH] Use SCRIPT_NAME instead of PHP_SELF

Fix XSS in view_filters_page.php and manage_filter_edit_page.php

Fixes #24731
---
 core/filter_form_api.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/core/filter_form_api.php b/core/filter_form_api.php
index 05d5c39e1..7b38752fd 100644
--- a/core/filter_form_api.php
+++ b/core/filter_form_api.php
@@ -2393,10 +2393,9 @@ function filter_form_draw_inputs( $p_filter, $p_for_screen = true, $p_static = f
 	}
 
 	if( null === $p_static_fallback_page ) {
-		$p_static_fallback_page = $_SERVER['PHP_SELF'];
-		$p_static_fallback_page = string_sanitize_url( $_SERVER['PHP_SELF'] );
+		$p_static_fallback_page = $_SERVER['SCRIPT_NAME'];
 	}
-	$t_filters_url = $p_static_fallback_page;
+	$t_filters_url = helper_mantis_url( $p_static_fallback_page );
 	$t_get_params = $_GET;
 	$t_get_params['for_screen'] = $p_for_screen;
 	$t_get_params['static'] = ON;
-- 
2.16.1.windows.1