MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > Archived Bug Reports > MyBB 1.4.4 > [F] Custom Profile fields - possible XSS?
Full Version: [F] Custom Profile fields - possible XSS?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

Imad Jomaa

2009-04-06, 04:50 AM
(2009-04-06, 01:49 AM)Michael83 Wrote: [ -> ]That's why I said it could be seen as bogus. But it could be a benefit because many users seem to use $post['fidX'] in the postbit. And as $post['fidX'] is available without any modification in any php file we could run it through htmlspecialchars_uni() just to ensure that there's no XSS possibility.

Absolutely. Another point would be that php cannot be used in templates to sanitize it themselves. Just an extra security check that I think is needed.

Ryan Gordon

2009-04-06, 09:48 PM
Michael, does your solution cover threaded mode as well? I don't think it does. And perhaps we can just do this instead?

foreach($post as $post_field => $field_value)
{
    if(substr($post_field, 0, 3) != 'fid')
    {
        continue;
    }
    $post[$post_field] = htmlspecialchars_uni($field_value);
}

Michael S.

2009-04-06, 10:00 PM
Oh, you're right. I put your code into the build_postbit() function and it's working fine in both modes.

Ryan Gordon

2009-04-06, 10:07 PM
Thank you for your bug report.

This bug has been fixed in our internal code repository. Please note that the problem will not be fixed here until these forums are updated.

With regards,
MyBB Group
Pages: 1 2
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > Archived Bug Reports > MyBB 1.4.4 > [F] Custom Profile fields - possible XSS?