From e1667bf81c9cc49738df467bc55ef68049357917 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sat, 15 May 2021 15:43:09 +0200
Subject: [PATCH] Fix XSS on manage_custom_field_edit_page.php

Thanks to Feras AL-KASSAR (SAP) <en.feras@hotmail.com> who reported
this vulnerability, which was discovered in the context of the EU
research project TESTABLE.

Unescaped output of 'return' parameter allows an attacker to inject code
into a hidden input field in the manage-custom-field-update-form.

Fixes #28552, CVE-xxx
---
 manage_custom_field_edit_page.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manage_custom_field_edit_page.php b/manage_custom_field_edit_page.php
index 02126294f..743d92fed 100644
--- a/manage_custom_field_edit_page.php
+++ b/manage_custom_field_edit_page.php
@@ -87,7 +87,7 @@ $t_definition = custom_field_get_definition( $f_field_id );
 	<fieldset>
 		<?php echo form_security_field( 'manage_custom_field_update' ); ?>
 		<input type="hidden" name="field_id" value="<?php echo $f_field_id ?>" />
-		<input type="hidden" name="return" value="<?php echo $f_return ?>" />
+		<input type="hidden" name="return" value="<?php echo string_attribute( $f_return ); ?>" />
 
 <table class="table table-bordered table-condensed table-striped">
 	<tr>
-- 
2.25.1