From cc69f7f43744d037b201b05a4610022189e99d87 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Wed, 23 Sep 2020 18:36:32 +0200
Subject: [PATCH] Fix XSS in bug_actiongroup_page.php

Improper escaping of the custom field's name allowed an attacker to
inject HTML into the page.

Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for the finding.

Fixes #27304
---
 bug_actiongroup_page.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/bug_actiongroup_page.php b/bug_actiongroup_page.php
index cdebbf49e..2610ab9cb 100644
--- a/bug_actiongroup_page.php
+++ b/bug_actiongroup_page.php
@@ -225,7 +225,9 @@ switch( $f_action ) {
 		break;
 	case 'CUSTOM' :
 		$t_custom_field_def = custom_field_get_definition( $t_custom_field_id );
-		$t_question_title = sprintf( lang_get( 'actiongroup_menu_update_field' ), lang_get_defaulted( $t_custom_field_def['name'] ) );
+		$t_question_title = sprintf( lang_get( 'actiongroup_menu_update_field' ),
+			string_attribute( lang_get_defaulted( $t_custom_field_def['name'] ) )
+		);
 		$t_button_title = $t_question_title;
 		$t_form = 'custom_field_' . $t_custom_field_id;
 		$t_event_params['custom_field_id'] = $t_custom_field_id;
-- 
2.25.1