Use SCRIPT_NAME instead of PHP_SELF

Fix XSS in view_filters_page.php and manage_filter_edit_page.php Fixes #24731
mantisbt · Sep 4, 2018 · 66091a4 · 66091a4
1 parent c6b2dd5
commit 66091a4
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/core/filter_form_api.php b/core/filter_form_api.php
@@ -2393,10 +2393,9 @@ function filter_form_draw_inputs( $p_filter, $p_for_screen = true, $p_static = f
 	}
 
 	if( null === $p_static_fallback_page ) {
-		$p_static_fallback_page = $_SERVER['PHP_SELF'];
-		$p_static_fallback_page = string_sanitize_url( $_SERVER['PHP_SELF'] );
+		$p_static_fallback_page = $_SERVER['SCRIPT_NAME'];
 	}
-	$t_filters_url = $p_static_fallback_page;
+	$t_filters_url = helper_mantis_url( $p_static_fallback_page );
 	$t_get_params = $_GET;
 	$t_get_params['for_screen'] = $p_for_screen;
 	$t_get_params['static'] = ON;