MantisBT: master-1.2.x 0a636b37

Author Committer Branch Timestamp Parent
dhx dhx master-1.2.x 2011-09-03 16:36 master-1.2.x 4b7492d4
Affected Issues  0013281: MantisBT Security Vulnerabilities Notification

Issue 0013281: Fix Projax XSS issues (unescaped value attributes)

Projax sucks. This is why it was replaced with jQuery in the master
branch. However master-1.2.x still uses the older Projax code. The
Projax library doesn't attempt to escape values before dumping them in
HTML output, thus leading to XSS issues.

The easiest workaround is to pass in already-escaped values to the
Projax functions.

This issue was reported by High-Tech Bridge SA Security Research Lab as
part of their advisory #HTB23045, available at

mod - bug_report_page.php Diff File
mod - bug_update_advanced_page.php Diff File