2018-04-14, 07:37 PM
I'd like to point out that MyBB templates should never use $mybb->input directly in the templates. This creates a situation where the data is not sanitized on the page. This opens up XSS where links to the page could insert malicious code including javascript to execute on the site including things like login popups which may mimic site login popup and then steal the credentials.
XSS is low-risk but still a risk and it's not the best practice to use unsanitized user input anywhere. But MyBB does this in a number of the default/master templates.
Most of the time the $mybb->input is used in case there is an error in form submission and the data remains in the form. That's convenient for the member but it's a risk as well. I suggest that MyBB does a template search and see which templates do this in order to decide if they want to sanitize the input or just remove the convenience.
Please review asap.
XSS is low-risk but still a risk and it's not the best practice to use unsanitized user input anywhere. But MyBB does this in a number of the default/master templates.
Most of the time the $mybb->input is used in case there is an error in form submission and the data remains in the form. That's convenient for the member but it's a risk as well. I suggest that MyBB does a template search and see which templates do this in order to decide if they want to sanitize the input or just remove the convenience.
Please review asap.