Fix #17870: XSS in adm_config_report.php

This is the *real* correct fix for this issue (i.e. using string_attribute() to escape the variable), which was supposed to have been fixed in commit 1a49a78. Unfortunately, for some reason I somehow ended up redoing the same mistake of using string_display_line() again instead (see original fix b509ab3, reverted in b02557d). It is worth mentioning that string_display_line() *does* protect against the XSS attack vector, provided that the relevant MantisBT Formatting plugin configuration (text processing) is set to ON. Thanks to Patrice Morineau for pointing this out.
mantisbt · Nov 3, 2015 · b649c9c · b649c9c
1 parent e8ff7b9
commit b649c9c
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/adm_config_report.php b/adm_config_report.php
@@ -494,7 +494,7 @@ function check_config_value( $p_config ) {
 				<label for="config-option"><span><?php echo lang_get( 'configuration_option' ) ?></span></label>
 				<span class="input">
 					<input type="text" name="config_option"
-						value="<?php echo string_display_line( $t_edit_option ); ?>"
+						value="<?php echo string_attribute( $t_edit_option ); ?>"
 						size="64" maxlength="64" />
 				</span>
 				<span class="label-style"></span>