Fix #12474: bug_report XSS issue when report_stay=1

The "report stay" feature of the bug report page allows the user to remain on the bug report page after submitting a report. After submission a new bug_report page is opened and is prefilled with data from the bug report just completed. The problem is that the hidden input fields are not properly escaped. This is not really a security issue as you need a valid one time CSRF token to access bug_report.php anyhow. It's more a case of users experiencing broken page output when they submit bug reports containing HTML characters (using the report stay feature).
mantisbt · Oct 22, 2010 · c896125 · c896125
1 parent 1aa1178
commit c896125
Showing 1 changed file with 14 additions and 14 deletions.
diff --git a/bug_report.php b/bug_report.php
@@ -248,20 +248,20 @@
 	<p>
 	<form method="post" action="<?php echo string_get_bug_report_url() ?>">
 	<?php # CSRF protection not required here - form does not result in modifications ?>
-		<input type="hidden" name="category_id" 	value="<?php echo $t_bug_data->category_id ?>" />
-		<input type="hidden" name="severity" 		value="<?php echo $t_bug_data->severity ?>" />
-		<input type="hidden" name="reproducibility" 	value="<?php echo $t_bug_data->reproducibility ?>" />
-		<input type="hidden" name="profile_id" 		value="<?php echo $t_bug_data->profile_id ?>" />
-		<input type="hidden" name="platform" 		value="<?php echo $t_bug_data->platform ?>" />
-		<input type="hidden" name="os" 			value="<?php echo $t_bug_data->os ?>" />
-		<input type="hidden" name="os_build" 		value="<?php echo $t_bug_data->os_build ?>" />
-		<input type="hidden" name="product_version" 	value="<?php echo $t_bug_data->version ?>" />
-		<input type="hidden" name="target_version" 	value="<?php echo $t_bug_data->target_version ?>" />
-		<input type="hidden" name="build" 		value="<?php echo $t_bug_data->build ?>" />
-		<input type="hidden" name="report_stay" 	value="1" />
-		<input type="hidden" name="view_state"		value="<?php echo $t_bug_data->view_state ?>" />
-		<input type="hidden" name="due_date"		value="<?php echo $t_bug_data->due_date ?>" />
-		<input type="submit" class="button" 		value="<?php echo lang_get( 'report_more_bugs' ) ?>" />
+		<input type="hidden" name="category_id" value="<?php echo string_attribute( $t_bug_data->category_id ) ?>" />
+		<input type="hidden" name="severity" value="<?php echo string_attribute( $t_bug_data->severity ) ?>" />
+		<input type="hidden" name="reproducibility" value="<?php echo string_attribute( $t_bug_data->reproducibility ) ?>" />
+		<input type="hidden" name="profile_id" value="<?php echo string_attribute( $t_bug_data->profile_id ) ?>" />
+		<input type="hidden" name="platform" value="<?php echo string_attribute( $t_bug_data->platform ) ?>" />
+		<input type="hidden" name="os" value="<?php echo string_attribute( $t_bug_data->os ) ?>" />
+		<input type="hidden" name="os_build" value="<?php echo string_attribute( $t_bug_data->os_build ) ?>" />
+		<input type="hidden" name="product_version" value="<?php echo string_attribute( $t_bug_data->version ) ?>" />
+		<input type="hidden" name="target_version" value="<?php echo string_attribute( $t_bug_data->target_version ) ?>" />
+		<input type="hidden" name="build" value="<?php echo string_attribute( $t_bug_data->build ) ?>" />
+		<input type="hidden" name="report_stay" value="1" />
+		<input type="hidden" name="view_state" value="<?php echo string_attribute( $t_bug_data->view_state ) ?>" />
+		<input type="hidden" name="due_date" value="<?php echo string_attribute( $t_bug_data->due_date ) ?>" />
+		<input type="submit" class="button" value="<?php echo lang_get( 'report_more_bugs' ) ?>" />
 	</form>
 	</p>
 <?php