Current time: 07-22-2014, 07:29 PM Hello There, Guest! (LoginRegister)


 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[F] Custom Profile fields - possible XSS?
04-06-2009, 04:50 AM
Post: #11
RE: Custom Profile fields - possible XSS?
(04-06-2009 01:49 AM)Michael83 Wrote:  That's why I said it could be seen as bogus. But it could be a benefit because many users seem to use $post['fidX'] in the postbit. And as $post['fidX'] is available without any modification in any php file we could run it through htmlspecialchars_uni() just to ensure that there's no XSS possibility.

Absolutely. Another point would be that php cannot be used in templates to sanitize it themselves. Just an extra security check that I think is needed.
Find all posts by this user
04-06-2009, 09:48 PM (This post was last modified: 04-06-2009 09:51 PM by Ryan Gordon.)
Post: #12
RE: Custom Profile fields - possible XSS?
Michael, does your solution cover threaded mode as well? I don't think it does. And perhaps we can just do this instead?

PHP Code:
foreach($post as $post_field => $field_value)
{
    if(
substr($post_field03) != 'fid')
    {
        continue;
    }
    
$post[$post_field] = htmlspecialchars_uni($field_value);

Visit this user's website Find all posts by this user
04-06-2009, 10:00 PM
Post: #13
RE: Custom Profile fields - possible XSS?
Oh, you're right. I put your code into the build_postbit() function and it's working fine in both modes.

Greets,
Michael
-------------
[Image: donation_drive_sig.png]
Visit this user's website Find all posts by this user
04-06-2009, 10:07 PM (This post was last modified: 04-06-2009 10:09 PM by Ryan Gordon.)
Post: #14
[F] Custom Profile fields - possible XSS?
Thank you for your bug report.

This bug has been fixed in our internal code repository. Please note that the problem will not be fixed here until these forums are updated.

With regards,
MyBB Group
Visit this user's website Find all posts by this user


Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us | MyBB | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication