Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[F] Custom Profile fields - possible XSS?
#11
(04-06-2009, 01:49 AM)Michael83 Wrote:  That's why I said it could be seen as bogus. But it could be a benefit because many users seem to use $post['fidX'] in the postbit. And as $post['fidX'] is available without any modification in any php file we could run it through htmlspecialchars_uni() just to ensure that there's no XSS possibility.

Absolutely. Another point would be that php cannot be used in templates to sanitize it themselves. Just an extra security check that I think is needed.
#12
Michael, does your solution cover threaded mode as well? I don't think it does. And perhaps we can just do this instead?

PHP Code:
foreach($post as $post_field => $field_value)
{
    if(
substr($post_field03) != 'fid')
    {
        continue;
    }
    
$post[$post_field] = htmlspecialchars_uni($field_value);

#13
Oh, you're right. I put your code into the build_postbit() function and it's working fine in both modes.
Greets,
Michael
-------------
[Image: donation_drive_sig.png]
#14
Thank you for your bug report.

This bug has been fixed in our internal code repository. Please note that the problem will not be fixed here until these forums are updated.

With regards,
MyBB Group


Forum Jump:


Users browsing this thread: 1 Guest(s)