MantisBT: master-1.1.x c6f356da

Diff Back to Repository
Author Committer Branch Timestamp Parent
dhx dhx master-1.1.x 2009-11-30 20:29 master-1.1.x 8ecb5fa4
Affected Issues  0011229: XSS on /view_all_bug_page.php?tag_string=<XSS>
Changeset

Fix 0011229: Fix tagging XSS scripting vulnerabilities

Tag names and descriptions were not properly sanitised before being
written to HTML output. This meant that it was possible for users to
create tags containing Javascript that is executed on every load of
view_all_bug_page (and elsewhere) for all users.

Thanks to Michel Arboi from Tenable Network Security (Nessus) for
reporting this issue.

This is a backport of 70b5022f556c9b9b6b0cd661e3357767a3b178c5
mod - tag_update_page.php Diff File
mod - tag_view_page.php Diff File
mod - core/print_api.php Diff File
mod - core/filter_api.php Diff File