Fixed various CSS vulnerabilities (thanks to Paul Richards for discov…

…ering them)

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@2268 f5dc347c-c33d-0410-90a0-b07cc1902cb9

bug_actiongroup_page.php

@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: bug_actiongroup_page.php,v 1.31 2003-02-20 05:42:22 vboctor Exp $
+	# $Id: bug_actiongroup_page.php,v 1.32 2003-10-18 16:34:59 jlatour Exp $
 	# --------------------------------------------------------
 ?>
 <?php
@@ -81,7 +81,7 @@
 <br />
 <div align="center">
 <form method="POST" action="bug_actiongroup.php">
-<input type="hidden" name="action" value="<?php echo $f_action ?>" />
+<input type="hidden" name="action" value="<?php echo string_attribute( $f_action ) ?>" />
 <table class="width75" cellspacing="1">
 <?php foreach( $f_bug_arr as $t_bug_id ) { ?>
 		<input type="hidden" name="bug_arr[]" value="<?php echo $t_bug_id ?>" />

core/summary_api.php

@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: summary_api.php,v 1.17 2003-03-10 19:45:17 int2str Exp $
+	# $Id: summary_api.php,v 1.18 2003-10-18 16:34:59 jlatour Exp $
 	# --------------------------------------------------------
 
 	#######################################################################
@@ -15,7 +15,7 @@
 
 	function summary_helper_print_row( $p_label, $p_open, $p_resolved, $p_closed, $p_total ) {
 		printf( '<tr %s>', helper_alternate_class() );
-		printf( '<td width="50%%">%s</td>', $p_label );
+		printf( '<td width="50%%">%s</td>', string_display( $p_label ) );
 		printf( '<td width="12%%" class="right">%d</td>', $p_open );
 		printf( '<td width="12%%" class="right">%d</td>', $p_resolved );
 		printf( '<td width="12%%" class="right">%d</td>', $p_closed );

doc/ChangeLog

@@ -8,6 +8,7 @@ Mantis ChangeLog
  * Fix #3333: Support PHPMailer v1.7x.
  * Fix #3334: Invalid links in bug reminder emails.
  * Fix #3353: History not updated in bug deletion email.
+ * Sec #0000: Various Cross-Site Scripting vulnerabilities fixed (thanks to Paul Richards).
  * Languages: Updated French localisation.
 
 2003.08.24  -  0.18.0rc1

history_inc.php

@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: history_inc.php,v 1.19 2003-03-22 21:42:22 jlatour Exp $
+	# $Id: history_inc.php,v 1.20 2003-10-18 16:34:59 jlatour Exp $
 	# --------------------------------------------------------
 ?>
 <?php
@@ -55,13 +55,13 @@
 		<?php print_user( $t_item['userid'] ) ?>
 	</td>
 	<td class="small-caption">
-		<?php echo $t_item['note'] ?>
+		<?php echo string_display( $t_item['note'] ) ?>
 	</td>
 	<td class="small-caption">
-		<?php echo $t_item['change'] ?>
+		<?php echo string_display( $t_item['change'] ) ?>
 	</td>
 </tr>
 <?php
 	} # end for loop
 ?>
-</table>
+</table>

manage_proj_edit_page.php

@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: manage_proj_edit_page.php,v 1.71 2003-03-22 16:30:35 jlatour Exp $
+	# $Id: manage_proj_edit_page.php,v 1.72 2003-10-18 16:34:59 jlatour Exp $
 	# --------------------------------------------------------
 ?>
 <?php
@@ -383,7 +383,7 @@
 					{
 						if( !custom_field_is_linked( $t_field_id, $f_project_id ) ) {
 							$t_desc = custom_field_get_definition( $t_field_id );
-							echo "<option value=\"$t_field_id\">" . $t_desc['name'] . '</option>' ;
+							echo "<option value=\"$t_field_id\">" . string_attribute( $t_desc['name'] ) . '</option>' ;
 						}
 					}
 				?>

view_all_inc.php

@@ -404,7 +404,7 @@
 				echo ']</small><br />';
 			}
 
-			echo $v_category;
+			echo string_display( $v_category );
 		?>
 	</td>
 	<?php # -- Severity -- ?>