Bug #2380
closed
Missing htmlspecialchars in html output
Added by beat over 13 years ago.
Updated over 13 years ago.
Description
component.groupjive.php line 587:
$input['description'] = '<textarea id="description" name="description" class="inputbox" cols="40" rows="5">' . $config->get( 'description' ) . '</textarea>';
missing htmlspecialchars.
Please check all places.
- Status changed from New to Resolved
- Assignee changed from krileon to beat
- % Done changed from 0 to 100
- Status changed from Resolved to Assigned
- Assignee changed from beat to krileon
- % Done changed from 100 to 50
Same applies to values of inputs:
e.g. line 581:
$input['name'] = '<input type="text" id="name" name="name" value="' . $config->get( 'name' ) . '" class="inputbox" size="40" />';
should be:
$input['name'] = '<input type="text" id="name" name="name" value="' . htmlspecialchars( $config->get( 'name' ) ) . '" class="inputbox" size="40" />';
Actually, not only for values of inputs, but all html output from PHP should be htmlspecialchared where applicable. Otherwise you can have html and javascript injections.
and e.g. line 609:
$input['owner'] = '<input type="text" id="user_id" name="user_id" value="' . $config->get( 'user_id', $user->id ) . '" class="inputbox" size="6" ' . $disabled . ' />';
could be as it's an int:
$input['owner'] = '<input type="text" id="user_id" name="user_id" value="' . intval( $config->get( 'user_id', $user->id ) ) . '" class="inputbox" size="6" ' . $disabled . ' />';
- Status changed from Assigned to Resolved
- Assignee changed from krileon to beat
- % Done changed from 50 to 100
- Status changed from Resolved to Closed
Also available in: Atom
PDF
Updated by 
Updated by