[Rejected] Sanitizing User Profiles
#6
This user has been denied support. This user has been denied support.
Hindsight 10/10, it's hard to announce what affects which plugins in detail.

1.8.0 had many many changes, it was a major update after all. 1.9.0 will have many changes.

Plugin developers are supposed to run their own tests, not just change a compatibility line.

That said I'm rather sure you had to sanitize all sorts of output yourself back in 1.6 (and 1.4) too.

Looking at the code it's still in there actually in another code path:

"usertitle" => $db->escape_string(htmlspecialchars_uni($user['usertitle'])),

(but not for usernames etc. etc. etc.)

probably makes no difference in this case but should be removed anyway

looking at the blame, the htmlspecialchars was removed in a changeset unrelated https://github.com/mybb/mybb/issues/900

so there was no one out to harm people, was just removed for consistency with other values/fields I guess *shrugs*

There's something similar going on with private message folder names in private.php:

$foldername = $db->escape_string(htmlspecialchars_uni($val));
Reply


Messages In This Thread
Sanitizing User Profiles - by labrocca - 2018-04-26, 06:13 PM
RE: Sanitizing User Profiles - by Devilshakerz - 2018-04-26, 07:40 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-26, 08:21 PM
RE: Sanitizing User Profiles - by Euan T - 2018-04-26, 09:42 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-26, 10:20 PM
RE: Sanitizing User Profiles - by frostschutz - 2018-04-26, 11:01 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-27, 05:54 PM
RE: Sanitizing User Profiles - by frostschutz - 2018-04-27, 07:48 PM
RE: Sanitizing User Profiles - by Euan T - 2018-04-27, 06:52 PM
RE: Sanitizing User Profiles - by Devilshakerz - 2018-04-27, 08:12 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-27, 08:23 PM
RE: Sanitizing User Profiles - by Omar G. - 2018-04-28, 06:44 AM
RE: Sanitizing User Profiles - by labrocca - 2018-04-28, 02:41 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)