From bbc6b4f3ea8d0a53ae8c44e4218df6675a4e5fdf Mon Sep 17 00:00:00 2001
From: David Hicks <d@hx.id.au>
Date: Fri, 18 Jan 2013 21:43:21 +1100
Subject: [PATCH] Fix #15373: match_type XSS vulnerability

Jakub Galczyk discovered[1] a cross site scripting (XSS)
vulnerability in MantisBT 1.2.12 and earlier versions that allows a
malicious person to trick the browser of a target user into executing
arbitrary JavaScript via the URL: search.php?match_type="><script...

This vulnerability is particularly wide reaching due to search.php being
usable by anonymous users on public facing installations of MantisBT (no
user account required).

The value of the "match_type" filter parameter is now correctly
sanitised prior to use in the HTML output displaying the current filter
settings.

[1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html
---
 core/filter_api.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/filter_api.php b/core/filter_api.php
index 2286ff0..ce2ca4f 100644
--- a/core/filter_api.php
+++ b/core/filter_api.php
@@ -3400,7 +3400,7 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
 					echo lang_get ('filter_match_all');
 				}
 			?>
-			<input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE]?>"/>
+			<input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>
 			</td>
 			<td colspan="6">&#160;</td>
 		</tr>
-- 
1.8.1.1