Permalink
Browse files

Issue #13281: Fix Projax XSS issues (unescaped value attributes)

Projax sucks. This is why it was replaced with jQuery in the master
branch. However master-1.2.x still uses the older Projax code. The
Projax library doesn't attempt to escape values before dumping them in
HTML output, thus leading to XSS issues.

The easiest workaround is to pass in already-escaped values to the
Projax functions.

This issue was reported by High-Tech Bridge SA Security Research Lab as
part of their advisory #HTB23045, available at
https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html
  • Loading branch information...
1 parent 4b7492d commit 0a636b37d3425aea7b781e7f25eaeb164ac54a3d @davidhicks davidhicks committed Sep 4, 2011
Showing with 6 additions and 6 deletions.
  1. +3 −3 bug_report_page.php
  2. +3 −3 bug_update_advanced_page.php
View
@@ -291,7 +291,7 @@
</select>
<?php
} else {
- projax_autocomplete( 'platform_get_with_prefix', 'platform', array( 'value' => $f_platform, 'size' => '32', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
+ projax_autocomplete( 'platform_get_with_prefix', 'platform', array( 'value' => string_attribute( $f_platform ), 'size' => '32', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
}
?>
</td>
@@ -308,7 +308,7 @@
</select>
<?php
} else {
- projax_autocomplete( 'os_get_with_prefix', 'os', array( 'value' => $f_os, 'size' => '32', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
+ projax_autocomplete( 'os_get_with_prefix', 'os', array( 'value' => string_attribute( $f_os ), 'size' => '32', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
}
?>
</td>
@@ -327,7 +327,7 @@
</select>
<?php
} else {
- projax_autocomplete( 'os_build_get_with_prefix', 'os_build', array( 'value' => $f_os_build, 'size' => '16', 'maxlength' => '16', 'tabindex' => helper_get_tab_index_value() ) );
+ projax_autocomplete( 'os_build_get_with_prefix', 'os_build', array( 'value' => string_attribute( $f_os_build ), 'size' => '16', 'maxlength' => '16', 'tabindex' => helper_get_tab_index_value() ) );
}
?>
</td>
@@ -438,7 +438,7 @@
print_platform_option_list( $tpl_bug->platform );
echo '</select>';
} else {
- projax_autocomplete( 'platform_get_with_prefix', 'platform', array( 'value' => $tpl_bug->platform, 'size' => '16', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
+ projax_autocomplete( 'platform_get_with_prefix', 'platform', array( 'value' => string_attribute( $tpl_bug->platform ), 'size' => '16', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
}
echo '</td>';
@@ -456,7 +456,7 @@
print_os_option_list( $tpl_bug->os );
echo '</select>';
} else {
- projax_autocomplete( 'os_get_with_prefix', 'os', array( 'value' => $tpl_bug->os, 'size' => '16', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
+ projax_autocomplete( 'os_get_with_prefix', 'os', array( 'value' => string_attribute( $tpl_bug->os ), 'size' => '16', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
}
echo '</td>';
@@ -474,7 +474,7 @@
print_os_build_option_list( $tpl_bug->os_build );
echo '</select>';
} else {
- projax_autocomplete( 'os_build_get_with_prefix', 'os_build', array( 'value' => $tpl_bug->os_build, 'size' => '16', 'maxlength' => '16', 'tabindex' => helper_get_tab_index_value() ) );
+ projax_autocomplete( 'os_build_get_with_prefix', 'os_build', array( 'value' => string_attribute( $tpl_bug->os_build ), 'size' => '16', 'maxlength' => '16', 'tabindex' => helper_get_tab_index_value() ) );
}
echo '</td>';

0 comments on commit 0a636b3

Please sign in to comment.