Fix #11397: XSS with project names in relationship table

A malicious project name containing Javascript is not sanitised before being printed in the relationships table (the bug view page).
mantisbt · Jan 15, 2010 · 0995c23 · 0995c23
1 parent cb5ca45
commit 0995c23
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/core/relationship_api.php b/core/relationship_api.php
@@ -676,7 +676,7 @@ function relationship_get_details( $p_bug_id, $p_relationship, $p_html = false,
 
 	# add project name
 	if( $p_show_project ) {
-		$t_relationship_info_html .= $t_td . $t_related_project_name . '&nbsp;</td>';
+		$t_relationship_info_html .= $t_td . string_display_line( $t_related_project_name ) . '&nbsp;</td>';
 	}
 
 	# add summary