View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0025749 | mantisbt | bugtracker | public | 2019-05-09 10:16 | 2019-08-25 12:36 |
Reporter | dregad | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Target Version | 2.22.0 | Fixed in Version | 2.22.0 | ||
Summary | 0025749: error_string() does not allow HTML tags inside of error messages | ||||
Description | Many of our language strings rely on sprintf() to insert dynamic parameters prior to output; several strings also include HTML tags ( Since 1.2.0a1, the error_string() API function sanitizes the resulting string (i.e. the language string after parameters substitution) via a htmlspecialchars() call to protect from potential XSS attacks (see 0008202). Consequently, the tags are escaped and the formatting is lost. Considering that the language strings themselves are trusted input, we should only encode the parameters. It would also make sense to authorize | ||||
Tags | No tags attached. | ||||
MantisBT: master 3dada1bf 2019-05-09 07:32 Details Diff |
error_string() allow HTML tags in lang string Prior to this, HTML escaping was applied after parameter substitution, on the whole string. Now, the language string for the error message is considered trusted input and is therefore not escaped; we only process the parameters, allowing <br> tags, before they are inserted into the placeholders. Fixes 0025749 |
Affected Issues 0025749 |
|
mod - core/error_api.php | Diff File |