From 8c6f4d8859785b67fb80ac65100ac5259ed9237d Mon Sep 17 00:00:00 2001 From: Damien Regad Date: Wed, 23 Sep 2020 18:36:32 +0200 Subject: [PATCH] Fix XSS in bug_actiongroup_page.php Improper escaping of the custom field's name allowed an attacker to inject HTML into the page. Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for the finding. Fixes #27304 --- bug_actiongroup_page.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bug_actiongroup_page.php b/bug_actiongroup_page.php index cdebbf49e8..2610ab9cb2 100644 --- a/bug_actiongroup_page.php +++ b/bug_actiongroup_page.php @@ -225,7 +225,9 @@ break; case 'CUSTOM' : $t_custom_field_def = custom_field_get_definition( $t_custom_field_id ); - $t_question_title = sprintf( lang_get( 'actiongroup_menu_update_field' ), lang_get_defaulted( $t_custom_field_def['name'] ) ); + $t_question_title = sprintf( lang_get( 'actiongroup_menu_update_field' ), + string_attribute( lang_get_defaulted( $t_custom_field_def['name'] ) ) + ); $t_button_title = $t_question_title; $t_form = 'custom_field_' . $t_custom_field_id; $t_event_params['custom_field_id'] = $t_custom_field_id;