RE: mantisbt account_update.php,1.38,1.39: msg#00034

This commit allows arbitary javascript code to be executed.

For example, if realname is set to <script>alert()</script>

What's wrong with using htmlspecialchars here? 

Paul
 

> -----Original Message-----
> From: mantisbt-cvs-admin-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@xxxxxxxxxxxxxxxx 
> [mailto:mantisbt-cvs-admin-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@xxxxxxxxxxxxxxxx] 
> On Behalf 
> Of Jeroen Latour
> Sent: 26 November 2004 00:14
> To: mantisbt-cvs-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@xxxxxxxxxxxxxxxx
> Subject: [Mantisbt-cvs] mantisbt account_update.php,1.38,1.39
> 
> Update of /cvsroot/mantisbt/mantisbt
> In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv1294
> 
> Modified Files:
>       account_update.php
> Log Message:
> 0004450: [localization] Real name with Chinese characters was garbled 
> 
> Index: account_update.php
> ===================================================================
> RCS file: /cvsroot/mantisbt/mantisbt/account_update.php,v
> retrieving revision 1.38
> retrieving revision 1.39
> diff -u -d -r1.38 -r1.39
> --- account_update.php        22 Aug 2004 01:19:29 -0000      1.38
> +++ account_update.php        26 Nov 2004 00:14:17 -0000      1.39
> @@ -27,9 +27,9 @@
>       current_user_ensure_unprotected();
>  ?>
>  <?php
> -     $f_email                        = htmlentities( 
> gpc_get_string( 'email', '' ) );
> -     $f_realname                     = htmlentities( 
> gpc_get_string( 'realname', '' ) );
> -     $f_password                     = gpc_get_string( 
> 'password', '' );
> +     $f_email                = gpc_get_string( 'email', '' );
> +     $f_realname             = gpc_get_string( 'realname', '' );
> +     $f_password             = gpc_get_string( 'password', '' );
>       $f_password_confirm     = gpc_get_string( 
> 'password_confirm', '' );
>  
>       $f_email = email_append_domain( $f_email );
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide Read honest & 
> candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now. 
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Mantisbt-cvs mailing list
> Mantisbt-cvs-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@xxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/mantisbt-cvs
> 
> 



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/

Previous by Date:	mantisbt account_update.php,1.38,1.39, Jeroen Latour
Next by Date:	mantisbt view_all_inc.php,1.145,1.146, Victor Boctor
Previous by Thread:	mantisbt account_update.php,1.38,1.39, Jeroen Latour
Next by Thread:	mantisbt view_all_inc.php,1.145,1.146, Victor Boctor
Indexes:	[Date] [Thread] [Top] [All Lists]

<Prev in Thread]	Current Thread	[Next in Thread>