MyBB Community Forums
[F] Custom Profile fields - possible XSS? - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: Community Archive (https://community.mybb.com/forum-106.html)
+--- Forum: Archived Forums (https://community.mybb.com/forum-143.html)
+---- Forum: Archived Development and Support (https://community.mybb.com/forum-155.html)
+----- Forum: Archived Bug Reports (https://community.mybb.com/forum-74.html)
+------ Forum: MyBB 1.4.4 (https://community.mybb.com/forum-110.html)
+------ Thread: [F] Custom Profile fields - possible XSS? (/thread-47667.html)

Pages: 1 2


RE: Custom Profile fields - possible XSS? - Imad Jomaa - 2009-04-06

(2009-04-06, 01:49 AM)Michael83 Wrote: That's why I said it could be seen as bogus. But it could be a benefit because many users seem to use $post['fidX'] in the postbit. And as $post['fidX'] is available without any modification in any php file we could run it through htmlspecialchars_uni() just to ensure that there's no XSS possibility.

Absolutely. Another point would be that php cannot be used in templates to sanitize it themselves. Just an extra security check that I think is needed.


RE: Custom Profile fields - possible XSS? - Ryan Gordon - 2009-04-06

Michael, does your solution cover threaded mode as well? I don't think it does. And perhaps we can just do this instead?

foreach($post as $post_field => $field_value)
{
    if(substr($post_field, 0, 3) != 'fid')
    {
        continue;
    }
    $post[$post_field] = htmlspecialchars_uni($field_value);
} 



RE: Custom Profile fields - possible XSS? - Michael S. - 2009-04-06

Oh, you're right. I put your code into the build_postbit() function and it's working fine in both modes.


[F] Custom Profile fields - possible XSS? - Ryan Gordon - 2009-04-06

Thank you for your bug report.

This bug has been fixed in our internal code repository. Please note that the problem will not be fixed here until these forums are updated.

With regards,
MyBB Group