MantisBT: master-2.24 6c3482d0

Author Committer Branch Timestamp Parent
dregad dregad master-2.24 2020-12-19 12:50:40 master-2.24 f6502be6
Affected Issues  0027779: CVE-2020-35571: XSS in helper_ensure_confirmed() calls

Use parameterized string for confirmation messages

Previously, the confirmation message was built manually in several
places throughout the code, concatenating strings with variables.

We now use a string with parameters, which is fed to sprintf prior to
display. This gives translators more control to over the final message,
and allows removing now-unused $s_in_project string.

Updated strings:

  • $s_confirm_custom_field_deletion
  • $s_confirm_used_custom_field_deletion
  • $s_confirm_custom_field_unlinking
  • $s_config_delete_sure
  • $s_confirm_file_delete_msg
  • $s_delete_account_sure_msg
  • $s_query_delete_msg
  • $s_remove_user_sure_msg
  • $s_version_delete_sure

Issue 0027779

mod - lang/strings_english.txt Diff File
mod - manage_config_revert.php Diff File
mod - manage_custom_field_delete.php Diff File
mod - manage_filter_delete.php Diff File
mod - manage_proj_custom_field_remove.php Diff File
mod - manage_proj_user_remove.php Diff File
mod - manage_proj_ver_delete.php Diff File
mod - manage_user_delete.php Diff File
mod - manage_user_proj_delete.php Diff File
mod - proj_doc_delete.php Diff File