MyBB Community Forums
A potential security issue was found in the template. Oops..? - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: 1.8 Support (https://community.mybb.com/forum-175.html)
+--- Forum: General Support (https://community.mybb.com/forum-176.html)
+--- Thread: A potential security issue was found in the template. Oops..? (/thread-205453.html)



A potential security issue was found in the template. Oops..? - Lewis L - 2016-10-27

I was in the middle of decimating my user profile template (backed up the original copy) when MyBB decided it didn't like something I put in there. I did run it through a code tidy up tool if that makes any difference. (used dirtymarkup)

It looks even more messy now as I wasn't finished butchering it into something that I think might look decent enough.

This isn't related to the security issue but my username on profile refuses to be moved upwards. I probably messed that up too.

<html>
<head>
    <title>{$mybb->settings['bbname']} - {$lang->profile}</title>
</head>
<body>
    {$headerinclude} 
    <script type="text/javascript" src="{$mybb->asset_url}/jscripts/report.js?ver=1804"></script>
	{$header}<br>
    <br>
    <div class="profile-left-col">
        <div class="border-fix">
            <div class="profile-main-info">
                <div class="userprofile_avatar"><img height="141px" src=
                "{$mybb-user['avatar']}" width="141px"></div>
                <span class=
                        "profileusername">{$formattedname}</span>
				
				<div class="about">Join Date</div>{$memregdate}
				
				
				<table border="0" cellpadding="0" cellspacing="0" width="100%">
                    <tr>
                        <td width="100%"><br>
                        <br>
                        <br></td>
                    </tr>
                </table>
            </div>
        </div><br>
        <table border="0" cellpadding="10" cellspacing="0" class=
        "tborder tfixed">
            <tbody>
                <tr>
                    <td class="shead">
                        <strong></strong>
                        <div class="float_left">
                            <strong><span class=
                            "starfleet_icon_shead"></span></strong>
                        </div><strong>Information</strong>
                    </td>
                </tr>
                <tr>
                    <td class="trow1 profile-pad">Status: <span class=
                    "float_right">{$online_status}</span></td>
                </tr>
                <tr>
                    <td class="trow1 profile-pad">Registration
                    Date:<span class="float_right">{$memregdate}</span></td>
                </tr>
                <tr>
                    <td class="trow1 profile-pad">Date of Birth:<span class=
                    "float_right">{$membday} {$membdayage}</span></td>
                </tr>
                <tr>
                    <td class="trow1 profile-pad">Last Visit:<span class=
                    "float_right">{$memlastvisitdate}</span></td>
                </tr>
            </tbody>
        </table>
    </div><br>
    {$footer}
</body>
</html>



RE: A potential security issue was found in the template. Oops..? - Johnny S - 2016-10-27

$mybb->user instead of $mybb-user. Also with that variable you are calling current logged user who is browsing that page (you) and not the avatar of that member profile in question.


RE: A potential security issue was found in the template. Oops..? - Lewis L - 2016-10-27

(2016-10-27, 08:01 PM)Johnny S Wrote: $mybb->user instead of $mybb-user. Also with that variable you are calling current logged user who is browsing that page (you) and not the avatar of that member profile in question.

Thanks!

Oh, I was unaware that I messed up the variable. What's the correct one to use?


RE: A potential security issue was found in the template. Oops..? - Johnny S - 2016-10-27

{$avatar} should be the correct variable.


RE: A potential security issue was found in the template. Oops..? - Lewis L - 2016-10-27

(2016-10-27, 09:17 PM)Johnny S Wrote: {$avatar} should be the correct variable.

Is there a way to put CSS onto it though? Namely borders & setting width/height.

That's what I was doing previously.


RE: A potential security issue was found in the template. Oops..? - Johnny S - 2016-10-28

That variable is outputting the content found inside member_profile_avatar template. In that template you can wrap <img /> tag with a div and assign a class to it.