Bug #1908
closed
Dropdown fields containing >< are not saved
Description
Created a dropdown list with >1yr <1 yr and when the field was selected, hitting submit kept saying it was not selected (it was a mandatory field). Assume the code isn't being sanitised properly.
Files
Updated by krileon over 13 years ago
- % Done changed from 0 to 20
Confirmed, values are NOT escape before they are saved to database. Will investigate further as to why, they should be htmlspecialed before storing.
Updated by krileon over 13 years ago
Reviewing source it is being htmlspecialed on frontend so no backend htmlspecial needed.
Updated by krileon over 13 years ago
- File 1908.patch 1908.patch added
- Assignee set to beat
- % Done changed from 20 to 80
cbGetParam was missing _MOS_ALLOWRAW preventing raw input from being obtained (further sensitization is done below to ensure it's safe)
Updated by beat over 13 years ago
- Status changed from Resolved to Closed
- % Done changed from 80 to 100
- Estimated time set to 1:30 h
Fixed in r1248 as suggested by patch, but also added strict to the in_array checks for valid entries, to avoid any lowering of security by the patch.
Thank you, Kyle.
Updated by beat over 13 years ago
Fixed regression in r1268:
Notice: Use of undefined constant strict - assumed 'strict' in D:\xampp\htdocs\cb\j15\components\com_comprofiler\plugin\user\plug_cbcore\cb.core.php on line 723
[19.11.10 18:27:17] Kyle: as for activity plugin, it already works? what's broken about it?