From bf9f4f1e79b557968936b510d0d7fe53dae41df4 Mon Sep 17 00:00:00 2001
From: Paul Richards <paul@mantisforge.org>
Date: Sun, 22 Jul 2007 21:02:45 +0000
Subject: [PATCH] Fix 0008181: Display of database error message could be used
 to generate Cross site scripting issue

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@4467 f5dc347c-c33d-0410-90a0-b07cc1902cb9
---
 core/database_api.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/database_api.php b/core/database_api.php
index 05e3c081c7..04532ef11b 100644
--- a/core/database_api.php
+++ b/core/database_api.php
@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: database_api.php,v 1.57 2007-06-09 15:00:03 vboctor Exp $
+	# $Id: database_api.php,v 1.58 2007-07-22 21:02:45 prichards Exp $
 	# --------------------------------------------------------
 
 	### Database ###
@@ -291,7 +291,7 @@ function db_error_msg() {
 	# display both the error num and error msg
 	function db_error( $p_query=null ) {
 		if ( null !== $p_query ) {
-			error_parameters( db_error_num(), db_error_msg(), $p_query );
+			error_parameters( db_error_num(), db_error_msg(), string_html_specialchars( $p_query ) );
 		} else {
 			error_parameters( db_error_num(), db_error_msg() );
 		}