[Rejected] Sanitizing User Profiles
#5
Quote:It's widely regarded that best practice is to store data in the form that it was provided, and do filtering/escaping when making use of that data

C'mon bud. You guys made a change that opened up everyone to XSS in their custom pages and plugins and never notified anyone they should check their code. If MyBB did tell admins then I'd like to see that.

This was IMPORTANT enough that a sanitizing change should have required the team to notify admins and plugin authors. I have a feeling that a lot of sites are now vulnerable. I know that every plugin I had that showed usertitle is now vulnerable in 1.8x even if the plugin actually works.

And I suppose if you don't revert the change I'll make my adjustments to my own code but my main gripe is the lack of notification to a security standard alteration. Something like that should be announced.
Reply


Messages In This Thread
Sanitizing User Profiles - by labrocca - 2018-04-26, 06:13 PM
RE: Sanitizing User Profiles - by Devilshakerz - 2018-04-26, 07:40 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-26, 08:21 PM
RE: Sanitizing User Profiles - by Euan T - 2018-04-26, 09:42 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-26, 10:20 PM
RE: Sanitizing User Profiles - by frostschutz - 2018-04-26, 11:01 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-27, 05:54 PM
RE: Sanitizing User Profiles - by frostschutz - 2018-04-27, 07:48 PM
RE: Sanitizing User Profiles - by Euan T - 2018-04-27, 06:52 PM
RE: Sanitizing User Profiles - by Devilshakerz - 2018-04-27, 08:12 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-27, 08:23 PM
RE: Sanitizing User Profiles - by Omar G. - 2018-04-28, 06:44 AM
RE: Sanitizing User Profiles - by labrocca - 2018-04-28, 02:41 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)