Fix 0008181: Display of database error message could be used to gener…

…ate Cross site scripting issue git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@4467 f5dc347c-c33d-0410-90a0-b07cc1902cb9
mantisbt · Jul 22, 2007 · bf9f4f1 · bf9f4f1
1 parent 69c23df
commit bf9f4f1
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/core/database_api.php b/core/database_api.php
@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: database_api.php,v 1.57 2007-06-09 15:00:03 vboctor Exp $
+	# $Id: database_api.php,v 1.58 2007-07-22 21:02:45 prichards Exp $
 	# --------------------------------------------------------
 
 	### Database ###
@@ -291,7 +291,7 @@ function db_error_msg() {
 	# display both the error num and error msg
 	function db_error( $p_query=null ) {
 		if ( null !== $p_query ) {
-			error_parameters( db_error_num(), db_error_msg(), $p_query );
+			error_parameters( db_error_num(), db_error_msg(), string_html_specialchars( $p_query ) );
 		} else {
 			error_parameters( db_error_num(), db_error_msg() );
 		}