Fix XSS in bug_actiongroup_page.php

Improper escaping of the custom field's name allowed an attacker to inject HTML into the page. Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for the finding. Fixes #27304
mantisbt · Sep 23, 2020 · 8c6f4d8 · 8c6f4d8
1 parent 26bbae7
commit 8c6f4d8
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/bug_actiongroup_page.php b/bug_actiongroup_page.php
@@ -225,7 +225,9 @@
 		break;
 	case 'CUSTOM' :
 		$t_custom_field_def = custom_field_get_definition( $t_custom_field_id );
-		$t_question_title = sprintf( lang_get( 'actiongroup_menu_update_field' ), lang_get_defaulted( $t_custom_field_def['name'] ) );
+		$t_question_title = sprintf( lang_get( 'actiongroup_menu_update_field' ),
+			string_attribute( lang_get_defaulted( $t_custom_field_def['name'] ) )
+		);
 		$t_button_title = $t_question_title;
 		$t_form = 'custom_field_' . $t_custom_field_id;
 		$t_event_params['custom_field_id'] = $t_custom_field_id;