Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix XSS in bug_change_status_page.php
The value of the change_type parameter was not encoded before being
displayed as a hidden input.

This vulnerability was reported by Etienne Landais.

Fixes #22486
  • Loading branch information
dregad committed Mar 9, 2017
1 parent f8b2510 commit c272c3f
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion bug_change_status_page.php
Expand Up @@ -385,7 +385,7 @@

</tbody>
</table>
<input type="hidden" name="action_type" value="<?php echo $f_change_type; ?>" />
<input type="hidden" name="action_type" value="<?php echo string_attribute( $f_change_type ); ?>" />

</div>
</div>
Expand Down

0 comments on commit c272c3f

Please sign in to comment.