From 45a2b5c3fa279fc6e3efa46e120603c70d98e14d Mon Sep 17 00:00:00 2001
From: David Hicks <hickseydr@optusnet.com.au>
Date: Fri, 15 Jan 2010 20:27:58 +1100
Subject: [PATCH] Fix #11397: XSS with project names in relationship table

A malicious project name containing Javascript is not sanitised before
being printed in the relationships table (the bug view page).
---
 core/relationship_api.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/relationship_api.php b/core/relationship_api.php
index 7d6beffdd6..16dfeb002e 100644
--- a/core/relationship_api.php
+++ b/core/relationship_api.php
@@ -649,7 +649,7 @@ function relationship_get_details( $p_bug_id, $p_relationship, $p_html = false,
 
 	# add project name
 	if( $p_show_project ) {
-		$t_relationship_info_html .= $t_td . $t_related_project_name . '&nbsp;</td>';
+		$t_relationship_info_html .= $t_td . string_display_line( $t_related_project_name ) . '&nbsp;</td>';
 	}
 
 	# add summary