Issue #12368: Remove input side XSS validation of user real names

XSS issues should be handled on the output side of MantisBT rather than
on the input side. The user real name field was being validated on the
input side which is poor design due to the many number of ways in which
a user real name could change (SOAP API, XML import, web interface,
external scripts, plugins, etc). Furthermore different output interfaces
(XML, CSS, XHTML, etc) require different sanitisation and escaping
methods.

Thus we should remove the input side XSS validation of the user real
name field so that we allow ANY characters to be used in this field
(except 0x00 of course). Our existing output layers already handle XSS
sanitisation of variables such as the real name field.

account_update.php

@@ -96,7 +96,6 @@
 $t_realname = string_normalize( $f_realname );
 if ( $t_realname != user_get_field( $t_user_id, 'realname' ) ) {
 	# checks for problems with realnames
-	user_ensure_realname_valid( $t_realname );
 	$t_username = user_get_field( $t_user_id, 'username' );
 	user_ensure_realname_unique( $t_username, $t_realname );
 	user_set_realname( $t_user_id, $t_realname );

core/custom_field_api.php

@@ -406,9 +406,6 @@ function custom_field_has_write_access( $p_field_id, $p_bug_id, $p_user_id = nul
  * @access public
  */
 function custom_field_create( $p_name ) {
-	if( string_contains_scripting_chars( $p_name ) ) {
-		trigger_error( ERROR_CUSTOM_FIELD_INVALID_DEFINITION, ERROR );
-	}
 
 	$c_name = trim( $p_name );
 

core/string_api.php

@@ -881,16 +881,3 @@ function string_prepare_header( $p_string ) {
 	$t_string= explode( "\r", $t_string[0], 2 );
 	return $t_string[0];
 }
-
-/**
- * Checks the supplied string for scripting characters, if it contains any, then return true, otherwise return false.
- * @param string $p_string
- * @return bool
- */
-function string_contains_scripting_chars( $p_string ) {
-	if(( strstr( $p_string, '<' ) !== false ) || ( strstr( $p_string, '>' ) !== false ) ) {
-		return true;
-	}
-
-	return false;
-}

core/user_api.php

@@ -290,21 +290,6 @@ function user_ensure_realname_unique( $p_username, $p_realname ) {
 	}
 }
 
-# --------------------
-# Check if the realname is a valid (does not account for uniqueness)
-# true: valid, false: not valid
-function user_is_realname_valid( $p_realname ) {
-	return( !string_contains_scripting_chars( $p_realname ) );
-}
-
-# --------------------
-# Check if the realname is a valid (does not account for uniqueness), if not, trigger an error
-function user_ensure_realname_valid( $p_realname ) {
-	if( !user_is_realname_valid( $p_realname ) ) {
-		trigger_error( ERROR_USER_REAL_NAME_INVALID, ERROR );
-	}
-}
-
 # --------------------
 # Check if the username is a valid username (does not account for uniqueness)
 #  realname can match
@@ -489,7 +474,6 @@ function user_create( $p_username, $p_password, $p_email = '',
 
 	user_ensure_name_valid( $p_username );
 	user_ensure_name_unique( $p_username );
-	user_ensure_realname_valid( $p_realname );
 	user_ensure_realname_unique( $p_username, $p_realname );
 	email_ensure_valid( $p_email );
 
@@ -1328,8 +1312,6 @@ function user_set_email( $p_user_id, $p_email ) {
 # --------------------
 # Set the user's realname to the given string after checking validity
 function user_set_realname( $p_user_id, $p_realname ) {
-	/** @todo ensure_realname_valid( $p_realname ); */
-
 	return user_set_field( $p_user_id, 'realname', $p_realname );
 }
 

manage_user_create.php

@@ -82,7 +82,6 @@
 # strip extra space from real name
 $t_realname = string_normalize( $f_realname );
 user_ensure_name_valid( $f_username );
-user_ensure_realname_valid( $t_realname );
 user_ensure_realname_unique( $f_username, $f_realname );
 
 if ( $f_password != $f_password_verify ) {

manage_user_update.php

@@ -108,7 +108,6 @@
 $t_realname = string_normalize( $f_realname );
 
 user_ensure_name_valid( $f_username );
-user_ensure_realname_valid( $f_realname );
 user_ensure_realname_unique( $f_username, $f_realname );
 
 $f_email = email_append_domain( $f_email );