From 45f9e746fb9a42e74b668211372d9e45db3e7b6c Mon Sep 17 00:00:00 2001
From: Robert Munteanu <robert@lmn.ro>
Date: Fri, 18 Jan 2013 22:22:30 +0200
Subject: [PATCH] filter api: always treat FILTER_PROPERTY_MATCH_TYPE as an int
 value

Based on @dregad's comments, this follows up on @dhx's fix.

Fixes #15373: XSS vulnerability
---
 core/filter_api.php | 2 +-
 view_all_set.php    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/filter_api.php b/core/filter_api.php
index e6b7c991c5..251bdd895d 100644
--- a/core/filter_api.php
+++ b/core/filter_api.php
@@ -3395,7 +3395,7 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
 					echo lang_get ('filter_match_all');
 				}
 			?>
-			<input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>
+			<input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE] ?>"/>
 			</td>
 			<td colspan="6">&#160;</td>
 		</tr>		
diff --git a/view_all_set.php b/view_all_set.php
index e67829518d..d13b1e5d74 100644
--- a/view_all_set.php
+++ b/view_all_set.php
@@ -233,7 +233,7 @@
 	$f_note_user_id = array( $f_note_user_id );
 }
 
-$f_match_type = gpc_get_string ( FILTER_PROPERTY_MATCH_TYPE, FILTER_MATCH_ALL );
+$f_match_type = gpc_get_int ( FILTER_PROPERTY_MATCH_TYPE, FILTER_MATCH_ALL );
 
 # these are only single values, even when doing advanced filtering
 $f_per_page				= gpc_get_int( FILTER_PROPERTY_ISSUES_PER_PAGE, -1 );