[ZBX-3638] arguments passed to vtext.php are not escaped Created: 2011 Mar 23 Updated: 2017 May 30 Resolved: 2011 May 16 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Frontend (F) |
Affects Version/s: | 1.8.4 |
Fix Version/s: | None |
Type: | Incident report | Priority: | Minor |
Reporter: | Aleksandrs Saveljevs | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 0 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Attachments: | chipndale.png |
Description |
Create user "Chip & Dale". Go to "Administration" -> "Notifications". Observe chipndale.png. This happens because "Chip & Dale" is inserted into the helper URL unescaped: new CImg('vtext.php?text='.$user_data['alias'].$vTextColor). |
Comments |
Comment by Alexei Vladishev [ 2011 May 13 ] |
Resolved in revision 19597. Ready to test! |
Comment by Alexei Vladishev [ 2011 May 16 ] |
Merged to trunk, revision 19648. |