Skip to content
Permalink
Browse files Browse the repository at this point in the history
Issue #13281: Fix Projax XSS issues (unescaped value attributes)
Projax sucks. This is why it was replaced with jQuery in the master
branch. However master-1.2.x still uses the older Projax code. The
Projax library doesn't attempt to escape values before dumping them in
HTML output, thus leading to XSS issues.

The easiest workaround is to pass in already-escaped values to the
Projax functions.

This issue was reported by High-Tech Bridge SA Security Research Lab as
part of their advisory #HTB23045, available at
https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html
  • Loading branch information
davidhicks committed Sep 4, 2011
1 parent 4b7492d commit 0a636b3
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 6 deletions.
6 changes: 3 additions & 3 deletions bug_report_page.php
Expand Up @@ -291,7 +291,7 @@
</select>
<?php
} else {
projax_autocomplete( 'platform_get_with_prefix', 'platform', array( 'value' => $f_platform, 'size' => '32', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
projax_autocomplete( 'platform_get_with_prefix', 'platform', array( 'value' => string_attribute( $f_platform ), 'size' => '32', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
}
?>
</td>
Expand All @@ -308,7 +308,7 @@
</select>
<?php
} else {
projax_autocomplete( 'os_get_with_prefix', 'os', array( 'value' => $f_os, 'size' => '32', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
projax_autocomplete( 'os_get_with_prefix', 'os', array( 'value' => string_attribute( $f_os ), 'size' => '32', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
}
?>
</td>
Expand All @@ -327,7 +327,7 @@
</select>
<?php
} else {
projax_autocomplete( 'os_build_get_with_prefix', 'os_build', array( 'value' => $f_os_build, 'size' => '16', 'maxlength' => '16', 'tabindex' => helper_get_tab_index_value() ) );
projax_autocomplete( 'os_build_get_with_prefix', 'os_build', array( 'value' => string_attribute( $f_os_build ), 'size' => '16', 'maxlength' => '16', 'tabindex' => helper_get_tab_index_value() ) );
}
?>
</td>
Expand Down
6 changes: 3 additions & 3 deletions bug_update_advanced_page.php
Expand Up @@ -438,7 +438,7 @@
print_platform_option_list( $tpl_bug->platform );
echo '</select>';
} else {
projax_autocomplete( 'platform_get_with_prefix', 'platform', array( 'value' => $tpl_bug->platform, 'size' => '16', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
projax_autocomplete( 'platform_get_with_prefix', 'platform', array( 'value' => string_attribute( $tpl_bug->platform ), 'size' => '16', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
}

echo '</td>';
Expand All @@ -456,7 +456,7 @@
print_os_option_list( $tpl_bug->os );
echo '</select>';
} else {
projax_autocomplete( 'os_get_with_prefix', 'os', array( 'value' => $tpl_bug->os, 'size' => '16', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
projax_autocomplete( 'os_get_with_prefix', 'os', array( 'value' => string_attribute( $tpl_bug->os ), 'size' => '16', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
}

echo '</td>';
Expand All @@ -474,7 +474,7 @@
print_os_build_option_list( $tpl_bug->os_build );
echo '</select>';
} else {
projax_autocomplete( 'os_build_get_with_prefix', 'os_build', array( 'value' => $tpl_bug->os_build, 'size' => '16', 'maxlength' => '16', 'tabindex' => helper_get_tab_index_value() ) );
projax_autocomplete( 'os_build_get_with_prefix', 'os_build', array( 'value' => string_attribute( $tpl_bug->os_build ), 'size' => '16', 'maxlength' => '16', 'tabindex' => helper_get_tab_index_value() ) );
}

echo '</td>';
Expand Down

0 comments on commit 0a636b3

Please sign in to comment.