When displaying the list project issue states for the "Current Issue States" field on http://example.com/admin/project/project-issue-settings, the issue state names (user-supplied input) are not sanitized before output. Attached is a patch that gives these the same treatment as project_issue does (filter_xss).

Risk is obviously largely mitigated by the fact that usually only very trusted roles have permission to change these in the first place.

CommentFileSizeAuthor
xss-issue-state.patch531 bytesmr.baileys

Comments

matt2000’s picture

Status: Needs review » Fixed

I'm making you a co-maintainer, so if you find any other improvements, you can have at it.

Thanks again.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit ff80564 on 6.x-1.x, 7.x-1.x by matt2000:
    #1090890 by mr.baileys: Fixed XSS vulnerability on project issue state.