Fix #16513: XSS in account_sponsor_page.php project names

account_sponsor_page.php.php does not correctly sanitise project names. It is thus possible for a malicious user with project manager access permissions (or higher) to let users execute malicious JavaScript when visiting account_sponsor_page.php.
mantisbt · Oct 19, 2013 · 0002d10 · 0002d10
1 parent b8b4134
commit 0002d10
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/account_sponsor_page.php b/account_sponsor_page.php
@@ -180,7 +180,7 @@
 
 		echo '<tr class="' . $status_label .  '">';
 		echo '<td><a href="' . string_get_bug_view_url( $row['bug'] ) . '">' . bug_format_id( $row['bug'] ) . '</a></td>';
-		echo '<td>' . project_get_field( $t_bug->project_id, 'name' ) . '&#160;</td>';
+		echo '<td>' . string_display_line( project_get_field( $t_bug->project_id, 'name' ) ) . '&#160;</td>';
 		echo '<td class="right">' . $t_released_label . '&#160;</td>';
 		echo '<td><span class="issue-status" title="' . $t_resolution . '">' . $t_status . '</span></td>';
 		echo '<td>';
@@ -299,7 +299,7 @@
 
 		echo '<tr class="' . $status_label .  '">';
 		echo '<td><a href="' . string_get_bug_view_url( $row['bug'] ) . '">' . bug_format_id( $row['bug'] ) . '</a></td>';
-		echo '<td>' . project_get_field( $t_bug->project_id, 'name' ) . '&#160;</td>';
+		echo '<td>' . string_display_line( project_get_field( $t_bug->project_id, 'name' ) ) . '&#160;</td>';
 		echo '<td class="right">' . $t_released_label . '&#160;</td>';
 		echo '<td><a title="' . $t_resolution . '"><span class="underline">' . $t_status . '</span>&#160;</a></td>';