Skip to content
Permalink
Browse files

Fix XSS in bug_change_status_page.php

The value of the change_type parameter was not encoded before being
displayed as a hidden input.

This vulnerability was reported by Etienne Landais.

Fixes #22486
  • Loading branch information...
dregad committed Mar 7, 2017
1 parent f8b2510 commit c272c3f65da9677e505ff692b1f1e476b3afa56e
Showing with 1 addition and 1 deletion.
  1. +1 −1 bug_change_status_page.php
@@ -385,7 +385,7 @@

</tbody>
</table>
<input type="hidden" name="action_type" value="<?php echo $f_change_type; ?>" />
<input type="hidden" name="action_type" value="<?php echo string_attribute( $f_change_type ); ?>" />

</div>
</div>

0 comments on commit c272c3f

Please sign in to comment.
You can’t perform that action at this time.