Project

General

Profile

Actions

Bug #2382

closed

Non-htmlescaped url(s)

Added by beat over 11 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Start date:
08 March 2011
Due date:
% Done:

100%

Estimated time:

Description

component.cbgroupjive.php line 2460:

            $msg_link                        =    '<a href="' . cbgjClass::getPluginURL( array( 'groups', 'join', $category->id, $group->id, $row->code ), null, false ) . '">' . CBTxt::T( 'here' ) . '</a>';

has false for param $htmlspecialchars, instead of true, so it's not escaped properly, causing potential vuln.

Please review all url outputs to html.

Actions #1

Updated by krileon over 11 years ago

  • Status changed from New to Resolved
  • Assignee changed from krileon to beat
  • % Done changed from 0 to 100

Fixed in r1612

Actions #2

Updated by krileon over 11 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF