Fix #12231: XSS vulnerability when uninstalling badly named plugins

John Reese discovered an XSS vulnerability with the uninstall confirmation message shown when plugins are being uninstalled. The plugin name is not escaped before being outputted and thus HTML unsafe characters are not sanitised. This doesn't actually pose a security risk because it requires someone to: a) Have access to the server to rename a plugin in the PHP files b) Have administrator access to the MantisBT installation
mantisbt · Aug 4, 2010 · 2e39770 · 2e39770
1 parent 083c34f
commit 2e39770
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/manage_plugin_uninstall.php b/manage_plugin_uninstall.php
@@ -44,6 +44,7 @@
 require_api( 'lang_api.php' );
 require_api( 'plugin_api.php' );
 require_api( 'print_api.php' );
+require_api( 'string_api.php' );
 
 form_security_validate( 'manage_plugin_uninstall' );
 
@@ -56,7 +57,7 @@
 $f_basename = gpc_get_string( 'name' );
 $t_plugin = plugin_register( $f_basename, true );
 
-helper_ensure_confirmed( sprintf( lang_get( 'plugin_uninstall_message' ), $t_plugin->name ), lang_get( 'plugin_uninstall' ) );
+helper_ensure_confirmed( sprintf( lang_get( 'plugin_uninstall_message' ), string_display_line( $t_plugin->name ) ), lang_get( 'plugin_uninstall' ) );
 
 if ( !is_null( $t_plugin ) ) {
 	plugin_uninstall( $t_plugin );