MantisBT: master-2.28 b1ebc577

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-2.28 2026-04-12 13:22 master-2.28 5fec0f44
Affected Issues  0037017: CVE-2026-40598 : Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page
Changeset

Escape redirect page before display to prevent XSS

While this is generally not directly actionable as modern browsers will
URL-encode special characters, on some specific server configurations
this could poison the cache, leading to HTML injection in the user's
browser.

Fixes 0037017, GHSA-6jh4-47v2-4g37
mod - tag_update_page.php Diff File