Fix XSS in view_filters_page.php

The value of the view_type parameter was not sanitized before being displayed as a hidden input. This vulnerability was reported by Etienne Landais. Fixes #22497
mantisbt · Mar 10, 2017 · 1677251 · 1677251
1 parent c26b34b
commit 1677251
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/view_filters_page.php b/view_filters_page.php
@@ -105,7 +105,7 @@
 
 	<?php # CSRF protection not required here - form does not result in modifications ?>
 	<input type="hidden" name="type" value="1" />
-	<input type="hidden" name="view_type" value="<?php echo $f_view_type; ?>" />
+	<input type="hidden" name="view_type" value="<?php echo $t_filter['_view_type']; ?>" />
 	<?php
 		if( $f_for_screen == false ) {
 			print '<input type="hidden" name="print" value="1" />';