From 83a91ec540072d319dd338abff45f8d5ebf48190 Mon Sep 17 00:00:00 2001
From: slawkens <slawkens@gmail.com>
Date: Mon, 27 Nov 2023 20:28:43 +0100
Subject: [PATCH] Fix XSS in bugtracker.php

---
 system/pages/bugtracker.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/system/pages/bugtracker.php b/system/pages/bugtracker.php
index ac37becd62..775b09f909 100644
--- a/system/pages/bugtracker.php
+++ b/system/pages/bugtracker.php
@@ -181,9 +181,9 @@
                     $value = '<span style="color: red">[CLOSED]</span>';
 
                 echo '<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Bug Tracker</B></TD></TR>';
-                echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.$bug[2]['subject'].' '.$value.'</td></tr>';
+                echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.escapeHtml($bug[2]['subject']).' '.$value.'</td></tr>';
                 echo '<TR BGCOLOR="'.$light.'"><td colspan=2><i><b>Description</b></i></td></tr>';
-                echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br($bug[2]['text']).'</td></tr>';
+                echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br(escapeHtml($bug[2]['text'])).'</td></tr>';
                 echo '</TABLE>';
 
                 $answers = $db->query('SELECT * FROM '.$db->tableName('myaac_bugtracker').' where `account` = '.$account_logged->getId().' and `id` = '.$id.' and `type` = 2 order by `reply`');
@@ -274,7 +274,7 @@
                         $bgcolor = $light;
                     }
 
-                    echo '<TR BGCOLOR="'.$bgcolor.'"><td width=75%><a href="?subtopic=bugtracker&id='.$report['id'].'">'.$tags[$report['tag']].' '.$report['subject'].'</a></td><td>'.$value.'</td></tr>';
+                    echo '<TR BGCOLOR="'.$bgcolor.'"><td width=75%><a href="?subtopic=bugtracker&id='.$report['id'].'">'.$tags[$report['tag']].' '.escapeHtml($report['subject']).'</a></td><td>'.$value.'</td></tr>';
 
                     $showed=true;
                 }

Bug Tracker
Subject	'.$tags[$bug[2]['tag']].' '.$bug[2]['subject'].' '.$value.'
Subject	'.$tags[$bug[2]['tag']].' '.escapeHtml($bug[2]['subject']).' '.$value.'
Description
'.nl2br($bug[2]['text']).'
'.nl2br(escapeHtml($bug[2]['text'])).'