Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix #17870: XSS in adm_config_report.php
This is the *real* correct fix for this issue (i.e. using string_attribute() to escape the variable), which was supposed to have been fixed in commit 1a49a78. Unfortunately, for some reason I somehow ended up redoing the same mistake of using string_display_line() again instead (see original fix b509ab3, reverted in b02557d). It is worth mentioning that string_display_line() *does* protect against the XSS attack vector, provided that the relevant MantisBT Formatting plugin configuration (text processing) is set to ON. Thanks to Patrice Morineau for pointing this out.
- Loading branch information