From ecef0e9b523a460709e8feedfce72f05bb30b992 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 24 Mar 2017 17:02:07 +0100
Subject: [PATCH] Fix XSS in move_attachments_page.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Move Attachments admin page, allowing
an attacker to inject arbitrary code through a crafted 'type'
parameter.

Sanitize the 'type' parameter prior to output, to ensure HTML special
characters are properly escaped.

Fixes #22568
---
 admin/move_attachments_page.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/admin/move_attachments_page.php b/admin/move_attachments_page.php
index c7c806e73e..96dfe35120 100644
--- a/admin/move_attachments_page.php
+++ b/admin/move_attachments_page.php
@@ -188,7 +188,7 @@ function get_attachment_stats( $p_file_type, $p_in_db ) {
 	
 </table>
 <div class="widget-toolbox padding-8 clearfix">
-	<input name="type" type="hidden" value="<?php echo $f_file_type ?>" />
+	<input name="type" type="hidden" value="<?php echo string_attribute( $f_file_type); ?>" />
 	<input type="submit" class="btn btn-primary btn-white btn-round" value="Move Attachments" />
 </div>
 </div>