Fix #17870: XSS in adm_config_report.php

This is the correct fix for this issue, using string_attribute() to escape the variable. Thanks to Paul Richards for pointing this out.
mantisbt · Nov 15, 2014 · 49c3d08 · 49c3d08
1 parent 1bdc16e
commit 49c3d08
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/adm_config_report.php b/adm_config_report.php
@@ -480,7 +480,7 @@ function print_option_list_from_array( $p_array, $p_filter_value ) {
 	</td>
 	<td>
 		<input type="text" name="config_option"
-			value="<?php echo $t_edit_option; ?>"
+			value="<?php echo string_attribute( $t_edit_option ); ?>"
 			size="64" maxlength="64" />
 	</td>
 </tr>