[ZBX-3638] arguments passed to vtext.php are not escaped Created: 2011 Mar 23  Updated: 2017 May 30  Resolved: 2011 May 16

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: 1.8.4
Fix Version/s: None

Type: Incident report Priority: Minor
Reporter: Aleksandrs Saveljevs Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File chipndale.png    

 Description   

Create user "Chip & Dale". Go to "Administration" -> "Notifications". Observe chipndale.png. This happens because "Chip & Dale" is inserted into the helper URL unescaped: new CImg('vtext.php?text='.$user_data['alias'].$vTextColor).



 Comments   
Comment by Alexei Vladishev [ 2011 May 13 ]

Resolved in revision 19597. Ready to test!

Comment by Alexei Vladishev [ 2011 May 16 ]

Merged to trunk, revision 19648.

Generated at Fri Mar 29 17:44:50 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.