[Rejected] Sanitizing User Profiles
#1
In 1.6x the inc/datahanders/users.php sanitized all the user input with htmlspeciachars_uni(). In 1.8x a lot of the sanitizing is removed.

I'm not sure if this was done because it was expected on the output for the sanitizing to occur but those of us who upgraded from a 1.6x forum and had custom pages and plugins that didn't sanitize that output now face security risks.

Example is usertitle.

In 1.6x:
$this->user_update_data['usertitle'] = $db->escape_string(htmlspecialchars_uni($user['usertitle']));

In 1.8x:
$this->user_update_data['usertitle'] = $db->escape_string($user['usertitle']);

I'm not sure how or why sanitizing was removed but I think it should immediately be added back.

You should compare it against a 1.6.16 version and you'll see what I'm talking about.

I may end up doing a PR at Github for this because I want it fixed before the next update. But can it be explained before I do why it was removed, was it intentional?
Reply


Messages In This Thread
Sanitizing User Profiles - by labrocca - 2018-04-26, 06:13 PM
RE: Sanitizing User Profiles - by Devilshakerz - 2018-04-26, 07:40 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-26, 08:21 PM
RE: Sanitizing User Profiles - by Euan T - 2018-04-26, 09:42 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-26, 10:20 PM
RE: Sanitizing User Profiles - by frostschutz - 2018-04-26, 11:01 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-27, 05:54 PM
RE: Sanitizing User Profiles - by frostschutz - 2018-04-27, 07:48 PM
RE: Sanitizing User Profiles - by Euan T - 2018-04-27, 06:52 PM
RE: Sanitizing User Profiles - by Devilshakerz - 2018-04-27, 08:12 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-27, 08:23 PM
RE: Sanitizing User Profiles - by Omar G. - 2018-04-28, 06:44 AM
RE: Sanitizing User Profiles - by labrocca - 2018-04-28, 02:41 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)