Prevent XSS in helper_ensure_confirmed() calls

When the confirmation message references user-provided data, it needs to be escaped prior to calling the function. Fixes #27779, CVE-2020-35571
mantisbt · Dec 30, 2020 · f6502be · f6502be
1 parent e636504
commit f6502be
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 6 deletions.
diff --git a/manage_config_revert.php b/manage_config_revert.php
@@ -74,7 +74,7 @@
 if( '' != $f_revert ) {
 	# Confirm with the user
 	helper_ensure_confirmed( lang_get( 'config_delete_sure' ) . lang_get( 'word_separator' ) .
-		string_html_specialchars( implode( ', ', $t_revert_vars ) ) . lang_get( 'word_separator' ) . lang_get( 'in_project' ) . lang_get( 'word_separator' ) . project_get_name( $f_project_id ),
+		string_html_specialchars( implode( ', ', $t_revert_vars ) ) . lang_get( 'word_separator' ) . lang_get( 'in_project' ) . lang_get( 'word_separator' ) . string_attribute( project_get_name( $f_project_id ) ),
 		lang_get( 'delete_config_button' ) );
 
 	foreach ( $t_revert_vars as $t_revert ) {

diff --git a/manage_custom_field_update.php b/manage_custom_field_update.php
@@ -73,7 +73,12 @@
 
 $t_def = custom_field_get_definition( $f_field_id );
 if( $t_def['type'] != $t_values['type'] && custom_field_has_data( $f_field_id ) ) {
-	helper_ensure_confirmed( sprintf( lang_get( 'warning_update_custom_field_type' ), $t_def['name'] ), lang_get( 'update' ) );
+	helper_ensure_confirmed(
+		sprintf( lang_get( 'warning_update_custom_field_type' ),
+			string_attribute( $t_def['name'] )
+		),
+		lang_get( 'update' )
+	);
 }
 
 custom_field_update( $f_field_id, $t_values );

diff --git a/manage_filter_delete.php b/manage_filter_delete.php
@@ -56,7 +56,7 @@
 	exit;
 }
 
-helper_ensure_confirmed( lang_get( 'query_delete_msg' ) . '<br>"' . filter_get_field( $f_filter_id, 'name' ) . '"',
+helper_ensure_confirmed( lang_get( 'query_delete_msg' ) . '<br>"' . string_attribute( filter_get_field( $f_filter_id, 'name' ) ) . '"',
 		lang_get( 'delete_query' ) );
 
 filter_db_delete_filter( $f_filter_id );

diff --git a/manage_proj_user_remove.php b/manage_proj_user_remove.php
@@ -74,7 +74,7 @@
 
 	# Confirm with the user
 	helper_ensure_confirmed( lang_get( 'remove_user_sure_msg' ) .
-		'<br />' . lang_get( 'username_label' ) . lang_get( 'word_separator' ) . $t_user['username'],
+		'<br />' . lang_get( 'username_label' ) . lang_get( 'word_separator' ) . string_attribute( $t_user['username'] ),
 		lang_get( 'remove_user_button' ) );
 
 	project_remove_user( $f_project_id, $f_user_id );

diff --git a/manage_user_delete.php b/manage_user_delete.php
@@ -57,7 +57,7 @@
 
 $t_user = user_get_row( $f_user_id );
 helper_ensure_confirmed( lang_get( 'delete_account_sure_msg' ) .
-	'<br />' . lang_get( 'username_label' ) . lang_get( 'word_separator' ) . $t_user['username'],
+	'<br />' . lang_get( 'username_label' ) . lang_get( 'word_separator' ) . string_attribute( $t_user['username'] ),
 	lang_get( 'delete_account_button' ) );
 
 # If an administrator is trying to delete their own account, use

diff --git a/manage_user_proj_delete.php b/manage_user_proj_delete.php
@@ -65,7 +65,7 @@
 
 # Confirm with the user
 helper_ensure_confirmed( lang_get( 'remove_user_sure_msg' ) .
-	'<br />' . lang_get( 'project_name_label' ) . lang_get( 'word_separator' ) . $t_project_name,
+	'<br />' . lang_get( 'project_name_label' ) . lang_get( 'word_separator' ) . string_attribute( $t_project_name ),
 	lang_get( 'remove_user_button' ) );
 
 project_remove_user( $f_project_id, $f_user_id );