From f6502be6d62f0eadf0667aa0733caa2d6ddf4c2c Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sat, 19 Dec 2020 18:27:48 +0100
Subject: [PATCH] Prevent XSS in helper_ensure_confirmed() calls

When the confirmation message references user-provided data, it needs
to be escaped prior to calling the function.

Fixes #27779, CVE-2020-35571
---
 manage_config_revert.php       | 2 +-
 manage_custom_field_update.php | 7 ++++++-
 manage_filter_delete.php       | 2 +-
 manage_proj_user_remove.php    | 2 +-
 manage_user_delete.php         | 2 +-
 manage_user_proj_delete.php    | 2 +-
 6 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/manage_config_revert.php b/manage_config_revert.php
index 8afeaa68b0..9523e35905 100644
--- a/manage_config_revert.php
+++ b/manage_config_revert.php
@@ -74,7 +74,7 @@
 if( '' != $f_revert ) {
 	# Confirm with the user
 	helper_ensure_confirmed( lang_get( 'config_delete_sure' ) . lang_get( 'word_separator' ) .
-		string_html_specialchars( implode( ', ', $t_revert_vars ) ) . lang_get( 'word_separator' ) . lang_get( 'in_project' ) . lang_get( 'word_separator' ) . project_get_name( $f_project_id ),
+		string_html_specialchars( implode( ', ', $t_revert_vars ) ) . lang_get( 'word_separator' ) . lang_get( 'in_project' ) . lang_get( 'word_separator' ) . string_attribute( project_get_name( $f_project_id ) ),
 		lang_get( 'delete_config_button' ) );
 
 	foreach ( $t_revert_vars as $t_revert ) {
diff --git a/manage_custom_field_update.php b/manage_custom_field_update.php
index fc6fcc4cef..a461544c66 100644
--- a/manage_custom_field_update.php
+++ b/manage_custom_field_update.php
@@ -73,7 +73,12 @@
 
 $t_def = custom_field_get_definition( $f_field_id );
 if( $t_def['type'] != $t_values['type'] && custom_field_has_data( $f_field_id ) ) {
-	helper_ensure_confirmed( sprintf( lang_get( 'warning_update_custom_field_type' ), $t_def['name'] ), lang_get( 'update' ) );
+	helper_ensure_confirmed(
+		sprintf( lang_get( 'warning_update_custom_field_type' ),
+			string_attribute( $t_def['name'] )
+		),
+		lang_get( 'update' )
+	);
 }
 
 custom_field_update( $f_field_id, $t_values );
diff --git a/manage_filter_delete.php b/manage_filter_delete.php
index 1dd32a433c..1566bb4e4e 100644
--- a/manage_filter_delete.php
+++ b/manage_filter_delete.php
@@ -56,7 +56,7 @@
 	exit;
 }
 
-helper_ensure_confirmed( lang_get( 'query_delete_msg' ) . '<br>"' . filter_get_field( $f_filter_id, 'name' ) . '"',
+helper_ensure_confirmed( lang_get( 'query_delete_msg' ) . '<br>"' . string_attribute( filter_get_field( $f_filter_id, 'name' ) ) . '"',
 		lang_get( 'delete_query' ) );
 
 filter_db_delete_filter( $f_filter_id );
diff --git a/manage_proj_user_remove.php b/manage_proj_user_remove.php
index 0b68df344b..b25c90312a 100644
--- a/manage_proj_user_remove.php
+++ b/manage_proj_user_remove.php
@@ -74,7 +74,7 @@
 
 	# Confirm with the user
 	helper_ensure_confirmed( lang_get( 'remove_user_sure_msg' ) .
-		'<br />' . lang_get( 'username_label' ) . lang_get( 'word_separator' ) . $t_user['username'],
+		'<br />' . lang_get( 'username_label' ) . lang_get( 'word_separator' ) . string_attribute( $t_user['username'] ),
 		lang_get( 'remove_user_button' ) );
 
 	project_remove_user( $f_project_id, $f_user_id );
diff --git a/manage_user_delete.php b/manage_user_delete.php
index e7d206a633..4c3a1e8c0e 100644
--- a/manage_user_delete.php
+++ b/manage_user_delete.php
@@ -57,7 +57,7 @@
 
 $t_user = user_get_row( $f_user_id );
 helper_ensure_confirmed( lang_get( 'delete_account_sure_msg' ) .
-	'<br />' . lang_get( 'username_label' ) . lang_get( 'word_separator' ) . $t_user['username'],
+	'<br />' . lang_get( 'username_label' ) . lang_get( 'word_separator' ) . string_attribute( $t_user['username'] ),
 	lang_get( 'delete_account_button' ) );
 
 # If an administrator is trying to delete their own account, use
diff --git a/manage_user_proj_delete.php b/manage_user_proj_delete.php
index 3bd9e4c0b2..aab420e707 100644
--- a/manage_user_proj_delete.php
+++ b/manage_user_proj_delete.php
@@ -65,7 +65,7 @@
 
 # Confirm with the user
 helper_ensure_confirmed( lang_get( 'remove_user_sure_msg' ) .
-	'<br />' . lang_get( 'project_name_label' ) . lang_get( 'word_separator' ) . $t_project_name,
+	'<br />' . lang_get( 'project_name_label' ) . lang_get( 'word_separator' ) . string_attribute( $t_project_name ),
 	lang_get( 'remove_user_button' ) );
 
 project_remove_user( $f_project_id, $f_user_id );