From 66091a42626631a3063774eb0fb8a4218ab22fd4 Mon Sep 17 00:00:00 2001 From: Damien Regad Date: Wed, 5 Sep 2018 01:39:06 +0200 Subject: [PATCH] Use SCRIPT_NAME instead of PHP_SELF Fix XSS in view_filters_page.php and manage_filter_edit_page.php Fixes #24731 --- core/filter_form_api.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/core/filter_form_api.php b/core/filter_form_api.php index 05d5c39e1e..7b38752fdf 100644 --- a/core/filter_form_api.php +++ b/core/filter_form_api.php @@ -2393,10 +2393,9 @@ function filter_form_draw_inputs( $p_filter, $p_for_screen = true, $p_static = f } if( null === $p_static_fallback_page ) { - $p_static_fallback_page = $_SERVER['PHP_SELF']; - $p_static_fallback_page = string_sanitize_url( $_SERVER['PHP_SELF'] ); + $p_static_fallback_page = $_SERVER['SCRIPT_NAME']; } - $t_filters_url = $p_static_fallback_page; + $t_filters_url = helper_mantis_url( $p_static_fallback_page ); $t_get_params = $_GET; $t_get_params['for_screen'] = $p_for_screen; $t_get_params['static'] = ON;