Fix #15373: match_type XSS vulnerability

Jakub Galczyk discovered[1] a cross site scripting (XSS) vulnerability in MantisBT 1.2.12 and earlier versions that allows a malicious person to trick the browser of a target user into executing arbitrary JavaScript via the URL: search.php?match_type="><script... This vulnerability is particularly wide reaching due to search.php being usable by anonymous users on public facing installations of MantisBT (no user account required). The value of the "match_type" filter parameter is now correctly sanitised prior to use in the HTML output displaying the current filter settings. [1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html
mantisbt · Jan 18, 2013 · f5ac454 · f5ac454
1 parent 8414dc7
commit f5ac454
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/core/filter_api.php b/core/filter_api.php
@@ -3395,7 +3395,7 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
 					echo lang_get ('filter_match_all');
 				}
 			?>
-			<input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE]?>"/>
+			<input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>
 			</td>
 			<td colspan="6">&#160;</td>
 		</tr>