Actions
Bug #2380
closed
Missing htmlspecialchars in html output
Bug #2380:
Missing htmlspecialchars in html output
Description
component.groupjive.php line 587:
$input['description'] = '<textarea id="description" name="description" class="inputbox" cols="40" rows="5">' . $config->get( 'description' ) . '</textarea>';
missing htmlspecialchars.
Please check all places.
Updated by krileon almost 15 years ago
- Status changed from New to Resolved
- Assignee changed from krileon to beat
- % Done changed from 0 to 100
Fixed with r1606
Updated by beat almost 15 years ago
- Status changed from Resolved to Assigned
- Assignee changed from beat to krileon
- % Done changed from 100 to 50
Same applies to values of inputs:
e.g. line 581:
$input['name'] = '<input type="text" id="name" name="name" value="' . $config->get( 'name' ) . '" class="inputbox" size="40" />';
should be:
$input['name'] = '<input type="text" id="name" name="name" value="' . htmlspecialchars( $config->get( 'name' ) ) . '" class="inputbox" size="40" />';
Actually, not only for values of inputs, but all html output from PHP should be htmlspecialchared where applicable. Otherwise you can have html and javascript injections.
Updated by beat almost 15 years ago
and e.g. line 609:
$input['owner'] = '<input type="text" id="user_id" name="user_id" value="' . $config->get( 'user_id', $user->id ) . '" class="inputbox" size="6" ' . $disabled . ' />';
could be as it's an int:
$input['owner'] = '<input type="text" id="user_id" name="user_id" value="' . intval( $config->get( 'user_id', $user->id ) ) . '" class="inputbox" size="6" ' . $disabled . ' />';
Updated by krileon almost 15 years ago
- Status changed from Assigned to Resolved
- Assignee changed from krileon to beat
- % Done changed from 50 to 100
Fixed with r1607
Updated by krileon almost 15 years ago
- Status changed from Resolved to Closed
Actions