Fix #11229: Fix tagging XSS scripting vulnerabilities

Tag names and descriptions were not properly sanitised before being written to HTML output. This meant that it was possible for users to create tags containing Javascript that is executed on every load of view_all_bug_page (and elsewhere) for all users. Thanks to Michel Arboi from Tenable Network Security (Nessus) for reporting this issue.
mantisbt · Dec 1, 2009 · 70b5022 · 70b5022
1 parent 60a4d24
commit 70b5022
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 10 deletions.
diff --git a/core/filter_api.php b/core/filter_api.php
@@ -2939,8 +2939,8 @@ function SwitchDateFields() {
 			$t_tag_string .= ( is_blank( $t_tag_string ) ? '' : config_get( 'tag_separator' ) );
 			$t_tag_string .= tag_get_field( $t_filter[FILTER_PROPERTY_TAG_SELECT], 'name' );
 		}
-		echo $t_tag_string;
-		echo '<input type="hidden" name="', FILTER_PROPERTY_TAG_STRING, '" value="', $t_tag_string, '" />';
+		echo string_html_entities( $t_tag_string );
+		echo '<input type="hidden" name="', FILTER_PROPERTY_TAG_STRING, '" value="', string_attribute( $t_tag_string ), '" />';
 		?>
 			</td>
 		</tr>
@@ -3900,7 +3900,7 @@ function print_filter_tag_string() {
 	}
 	?>
 		<input type="hidden" id="tag_separator" value="<?php echo config_get( 'tag_separator' )?>" />
-		<input type="text" name="<?php echo FILTER_PROPERTY_TAG_STRING;?>" id="<?php echo FILTER_PROPERTY_TAG_STRING;?>" size="40" value="<?php echo $t_tag_string?>" />
+		<input type="text" name="<?php echo FILTER_PROPERTY_TAG_STRING;?>" id="<?php echo FILTER_PROPERTY_TAG_STRING;?>" size="40" value="<?php echo string_attribute( $t_tag_string )?>" />
 		<select <?php echo helper_get_tab_index()?> name="<?php echo FILTER_PROPERTY_TAG_SELECT;?>" id="<?php echo FILTER_PROPERTY_TAG_SELECT;?>">
 			<?php print_tag_option_list();?>
 		</select>

diff --git a/core/print_api.php b/core/print_api.php
@@ -317,7 +317,7 @@ function print_tag_option_list( $p_bug_id = 0 ) {
 		if ( !empty( $row['description'] ) ) {
 			$t_string .= ' - ' . utf8_substr( $row['description'], 0, 20 );
 		}
-		echo '<option value="', $row['id'], '" title="', $row['name'], '">', $t_string, '</option>';
+		echo '<option value="', $row['id'], '" title="', string_html_entities( $row['name'] ), '">', string_html_entities( $t_string ), '</option>';
 	}
 }
 

diff --git a/tag_update_page.php b/tag_update_page.php
@@ -38,14 +38,17 @@
 	$f_tag_id = gpc_get_int( 'tag_id' );
 	$t_tag_row = tag_get( $f_tag_id );
 
+	$t_name = string_display_line( $t_tag_row['name'] );
+	$t_description = string_display( $t_tag_row['description'] );
+
 	if ( !( access_has_global_level( config_get( 'tag_edit_threshold' ) )
 		|| ( auth_get_current_user_id() == $t_tag_row['user_id'] )
 			&& access_has_global_level( config_get( 'tag_edit_own_threshold' ) ) ) )
 	{
 		access_denied();
 	}
 
-	html_page_top( sprintf( lang_get( 'tag_update' ), $t_tag_row['name'] ) );
+	html_page_top( sprintf( lang_get( 'tag_update' ), $t_name ) );
 ?>
 
 <br/>
@@ -56,7 +59,7 @@
 <!-- Title -->
 <tr>
 	<td class="form-title" colspan="2">
-		<?php echo sprintf( lang_get( 'tag_update' ), $t_tag_row['name'] ) ?>
+		<?php echo sprintf( lang_get( 'tag_update' ), $t_name ) ?>
 		<input type="hidden" name="tag_id" value="<?php echo $f_tag_id ?>"/>
 	</td>
 	<td class="right" colspan="3">
@@ -75,7 +78,7 @@
 
 <tr <?php echo helper_alternate_class() ?>>
 	<td><?php echo $t_tag_row['id'] ?></td>
-	<td><input type="text" <?php echo helper_get_tab_index() ?> name="name" value="<?php echo $t_tag_row['name'] ?>"/></td>
+	<td><input type="text" <?php echo helper_get_tab_index() ?> name="name" value="<?php echo $t_name ?>"/></td>
 	<td><?php
 			if ( access_has_global_level( config_get( 'tag_edit_threshold' ) ) ) {
 				if ( ON == config_get( 'use_javascript' ) ) {
@@ -103,7 +106,7 @@
 <tr <?php echo helper_alternate_class() ?>>
 	<td class="category"><?php echo lang_get( 'tag_description' ) ?></td>
 	<td colspan="4">
-		<textarea name="description" <?php echo helper_get_tab_index() ?> cols="80" rows="6"><?php echo string_textarea( $t_tag_row['description'] ) ?></textarea>
+		<textarea name="description" <?php echo helper_get_tab_index() ?> cols="80" rows="6"><?php echo string_textarea( $t_description ) ?></textarea>
 	</td>
 </tr>
 

diff --git a/tag_view_page.php b/tag_view_page.php
@@ -38,7 +38,7 @@
 	$t_name = string_display_line( $t_tag_row['name'] );
 	$t_description = string_display( $t_tag_row['description'] );
 
-	html_page_top( sprintf( lang_get( 'tag_details' ), $t_tag_row['name'] ) );
+	html_page_top( sprintf( lang_get( 'tag_details' ), $t_name ) );
 ?>
 
 <br/>
@@ -47,7 +47,7 @@
 <!-- Title -->
 <tr>
 	<td class="form-title" colspan="2">
-		<?php echo sprintf( lang_get( 'tag_details' ), $t_tag_row['name'] ) ?>
+		<?php echo sprintf( lang_get( 'tag_details' ), $t_name ) ?>
 
 	</td>
 	<td class="right" colspan="3">