Bug #1908
closed
Dropdown fields containing >< are not saved
Added by RCheesley over 14 years ago.
Updated about 14 years ago.
Start date:
01 August 2010
Description
Created a dropdown list with >1yr <1 yr and when the field was selected, hitting submit kept saying it was not selected (it was a mandatory field). Assume the code isn't being sanitised properly.
Files
- % Done changed from 0 to 20
Confirmed, values are NOT escape before they are saved to database. Will investigate further as to why, they should be htmlspecialed before storing.
Reviewing source it is being htmlspecialed on frontend so no backend htmlspecial needed.
Applies to <TEXT, but >TEXT works fine.
cbGetParam was missing _MOS_ALLOWRAW preventing raw input from being obtained (further sensitization is done below to ensure it's safe)
- Status changed from New to Resolved
- Target version set to CB 1.3
- Status changed from Resolved to Closed
- % Done changed from 80 to 100
- Estimated time set to 1:30 h
Fixed in r1248 as suggested by patch, but also added strict to the in_array checks for valid entries, to avoid any lowering of security by the patch.
Thank you, Kyle.
Fixed regression in r1268:
Notice: Use of undefined constant strict - assumed 'strict' in D:\xampp\htdocs\cb\j15\components\com_comprofiler\plugin\user\plug_cbcore\cb.core.php on line 723
[19.11.10 18:27:17] Kyle: as for activity plugin, it already works? what's broken about it?
Also available in: Atom
PDF
Updated by 
Updated by