MantisBT: master 26e2d3b6

Diff Back to Repository
Author Committer Branch Timestamp Parent
dhx dhx master 2009-12-06 06:42 master 964915c9
Affected Issues  0011261: Don't rely on MantisCoreFormatting to provide string sanitisation for HTML output that can occur prior to plugins loading
Changeset

Fix 0011261: XSS in error output as MantisCoreFormatting isn't loaded

print_project_menu_bar() is called when an error occurs in MantisBT (to
produce the HTML output for the error page). At this point of time,
MantisCoreFormatting may not be loaded by MantisBT and therefore the
stringdisplay* sanitisation functions won't be executed. Thus we must
force the use of a the string_html_specialchars() function to ensure
that these strings are safely sanitised even when MantisCoreFormatting
isn't loaded (yet).
mod - core/html_api.php Diff File