Issue #13281: Fix Projax XSS issues (unescaped value attributes)

davidhicks · davidhicks · commit 0a636b37d342 · 2011-09-04T13:36:59.000+10:00
Projax sucks. This is why it was replaced with jQuery in the master branch. However master-1.2.x still uses the older Projax code. The Projax library doesn't attempt to escape values before dumping them in HTML output, thus leading to XSS issues. The easiest workaround is to pass in already-escaped values to the Projax functions. This issue was reported by High-Tech Bridge SA Security Research Lab as part of their advisory #HTB23045, available at https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html
diff --git a/bug_report_page.php b/bug_report_page.php
@@ -291,7 +291,7 @@
 							</select>
 							<?php
 								} else {
-									projax_autocomplete( 'platform_get_with_prefix', 'platform', array( 'value' => $f_platform, 'size' => '32', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
+									projax_autocomplete( 'platform_get_with_prefix', 'platform', array( 'value' => string_attribute( $f_platform ), 'size' => '32', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
 								}
 							?>
 						</td>
@@ -308,7 +308,7 @@
 							</select>
 							<?php
 								} else {
-									projax_autocomplete( 'os_get_with_prefix', 'os', array( 'value' => $f_os, 'size' => '32', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
+									projax_autocomplete( 'os_get_with_prefix', 'os', array( 'value' => string_attribute( $f_os ), 'size' => '32', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
 								}
 							?>
 						</td>
@@ -327,7 +327,7 @@
 								</select>
 							<?php
 								} else {
-									projax_autocomplete( 'os_build_get_with_prefix', 'os_build', array( 'value' => $f_os_build, 'size' => '16', 'maxlength' => '16', 'tabindex' => helper_get_tab_index_value() ) );
+									projax_autocomplete( 'os_build_get_with_prefix', 'os_build', array( 'value' => string_attribute( $f_os_build ), 'size' => '16', 'maxlength' => '16', 'tabindex' => helper_get_tab_index_value() ) );
 								}
 							?>
 						</td>
diff --git a/bug_update_advanced_page.php b/bug_update_advanced_page.php
@@ -438,7 +438,7 @@
 			print_platform_option_list( $tpl_bug->platform );
 			echo '</select>';
 		} else {
-			projax_autocomplete( 'platform_get_with_prefix', 'platform', array( 'value' => $tpl_bug->platform, 'size' => '16', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
+			projax_autocomplete( 'platform_get_with_prefix', 'platform', array( 'value' => string_attribute( $tpl_bug->platform ), 'size' => '16', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
 		}
 
 		echo '</td>';
@@ -456,7 +456,7 @@
 			print_os_option_list( $tpl_bug->os );
 			echo '</select>';
 		} else {
-			projax_autocomplete( 'os_get_with_prefix', 'os', array( 'value' => $tpl_bug->os, 'size' => '16', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
+			projax_autocomplete( 'os_get_with_prefix', 'os', array( 'value' => string_attribute( $tpl_bug->os ), 'size' => '16', 'maxlength' => '32', 'tabindex' => helper_get_tab_index_value() ) );
 		}
 
 		echo '</td>';
@@ -474,7 +474,7 @@
 			print_os_build_option_list( $tpl_bug->os_build );
 			echo '</select>';
 		} else {
-			projax_autocomplete( 'os_build_get_with_prefix', 'os_build', array( 'value' => $tpl_bug->os_build, 'size' => '16', 'maxlength' => '16', 'tabindex' => helper_get_tab_index_value() ) );
+			projax_autocomplete( 'os_build_get_with_prefix', 'os_build', array( 'value' => string_attribute( $tpl_bug->os_build ), 'size' => '16', 'maxlength' => '16', 'tabindex' => helper_get_tab_index_value() ) );
 		}
 
 		echo '</td>';
