View Issue Details

IDProjectCategoryView StatusLast Update
0025749mantisbtbugtrackerpublic2019-05-13 09:04
ReporterdregadAssigned Todregad 
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Product Version 
Target Version2.22.0Fixed in Version 
Summary0025749: error_string() does not allow HTML tags inside of error messages
Description

Many of our language strings rely on sprintf() to insert dynamic parameters prior to output; several strings also include HTML tags (a, br, em, strong, etc).

Since 1.2.0a1, the error_string() API function sanitizes the resulting string (i.e. the language string after parameters substitution) via a htmlspecialchars() call to protect from potential XSS attacks (see 0008202). Consequently, the tags are escaped and the formatting is lost.

Considering that the language strings themselves are trusted input, we should only encode the parameters.

It would also make sense to authorize br tags without attributes within parameters.

TagsNo tags attached.

Relationships

related to 0008202 closedgrangeway Potential Cross-Site Scripting Flaws 

Activities

Issue History

Date Modified Username Field Change
2019-05-09 10:16 dregad New Issue
2019-05-09 10:16 dregad Status new => assigned
2019-05-09 10:16 dregad Assigned To => dregad
2019-05-09 10:16 dregad Relationship added related to 0008202
2019-05-09 12:08 dregad Note Added: 0062048