MantisBT: master 70b5022f

Diff Back to Repository
Author Committer Branch Timestamp Parent
dhx dhx master 2009-11-30 19:56 master 60a4d24a
Affected Issues  0011229: XSS on /view_all_bug_page.php?tag_string=<XSS>
Changeset

Fix 0011229: Fix tagging XSS scripting vulnerabilities

Tag names and descriptions were not properly sanitised before being
written to HTML output. This meant that it was possible for users to
create tags containing Javascript that is executed on every load of
view_all_bug_page (and elsewhere) for all users.

Thanks to Michel Arboi from Tenable Network Security (Nessus) for
reporting this issue.
mod - core/print_api.php Diff File
mod - core/filter_api.php Diff File
mod - tag_update_page.php Diff File
mod - tag_view_page.php Diff File