[Rejected] Sanitizing User Profiles
#3
I was wondering this but was there any documentation to admins that plugins and custom pages might be effected? To me this is a big change which creates XSS exploits on legacy code and the community should have been informed.

Quote:there are fewer points of failure (otherwise e.g. we'd need to make sure it's escaped properly in the ACP, Mod CP, and frontend for save & edit actions + plugins),

Actually escaping in user handler seems the least amount of failure.

My main issue is that now previously written custom code is vulnerable to XSS because of the change.

Quote:the filtering works for all past & future content immediately after it's implemented,

What does that mean? Please explain.

Quote:the application is protected regardless of how the data was saved or modified (limited access to the database, perhaps as a result of unrelated vulnerability, shouldn't mean the XSS protection can be also bypassed).

Again, if you had a custom page or plugin that showed usertitle for example, you didn't need to sanitize it because user handler already did it. Now it doesn't. Now all that legacy 1.6x code is vulnerable. I'd like to know if that's going to be fixed. I'd also like to see any documentation about this change that was provided to the community. Because it's a HUGE alteration that puts every MyBB forum with custom code at risk. And maybe this documentation has more information I would need to know about.

If you sanitized in 1.6x and don't sanitize in 1.8x I think admins need to be informed. And I think it's a bad change and should be undone.
Reply


Messages In This Thread
Sanitizing User Profiles - by labrocca - 2018-04-26, 06:13 PM
RE: Sanitizing User Profiles - by Devilshakerz - 2018-04-26, 07:40 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-26, 08:21 PM
RE: Sanitizing User Profiles - by Euan T - 2018-04-26, 09:42 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-26, 10:20 PM
RE: Sanitizing User Profiles - by frostschutz - 2018-04-26, 11:01 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-27, 05:54 PM
RE: Sanitizing User Profiles - by frostschutz - 2018-04-27, 07:48 PM
RE: Sanitizing User Profiles - by Euan T - 2018-04-27, 06:52 PM
RE: Sanitizing User Profiles - by Devilshakerz - 2018-04-27, 08:12 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-27, 08:23 PM
RE: Sanitizing User Profiles - by Omar G. - 2018-04-28, 06:44 AM
RE: Sanitizing User Profiles - by labrocca - 2018-04-28, 02:41 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)