View Issue Details

IDProjectCategoryView StatusLast Update
0025749mantisbtbugtrackerpublic2019-08-25 12:36
Reporterdregad Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Target Version2.22.0Fixed in Version2.22.0 
Summary0025749: error_string() does not allow HTML tags inside of error messages
Description

Many of our language strings rely on sprintf() to insert dynamic parameters prior to output; several strings also include HTML tags (a, br, em, strong, etc).

Since 1.2.0a1, the error_string() API function sanitizes the resulting string (i.e. the language string after parameters substitution) via a htmlspecialchars() call to protect from potential XSS attacks (see 0008202). Consequently, the tags are escaped and the formatting is lost.

Considering that the language strings themselves are trusted input, we should only encode the parameters.

It would also make sense to authorize br tags without attributes within parameters.

TagsNo tags attached.

Relationships

related to 0008202 closedgrangeway Potential Cross-Site Scripting Flaws 

Activities

Related Changesets

MantisBT: master 3dada1bf

2019-05-09 07:32

dregad


Details Diff
error_string() allow HTML tags in lang string

Prior to this, HTML escaping was applied after parameter substitution,
on the whole string.

Now, the language string for the error message is considered trusted
input and is therefore not escaped; we only process the parameters,
allowing <br> tags, before they are inserted into the placeholders.

Fixes 0025749
Affected Issues
0025749
mod - core/error_api.php Diff File