Permalink
Browse files

Security - Fix XSS attack vector in user profile - reported by Javier…

… Bloem
  • Loading branch information...
ywarnier committed May 7, 2014
1 parent dd9bcd6 commit a22589a9b909b32c89fe532d07b621d84b77fb34
Showing with 4 additions and 0 deletions.
  1. +3 −0 main/auth/profile.php
  2. +1 −0 main/inc/lib/usermanager.lib.php
@@ -143,6 +143,7 @@ function show_icon_edit(element_html) {
}
$form->applyFilter(array('lastname', 'firstname'), 'stripslashes');
$form->applyFilter(array('lastname', 'firstname'), 'trim');
$form->applyFilter(array('lastname', 'firstname'), 'html_filter');
$form->addRule('lastname' , get_lang('ThisFieldIsRequired'), 'required');
$form->addRule('firstname', get_lang('ThisFieldIsRequired'), 'required');
@@ -165,6 +166,7 @@ function show_icon_edit(element_html) {
}
$form->applyFilter('official_code', 'stripslashes');
$form->applyFilter('official_code', 'trim');
$form->applyFilter('official_code', 'html_filter');
if (api_get_setting('registration', 'officialcode') == 'true' && api_get_setting('profile', 'officialcode') == 'true') {
$form->addRule('official_code', get_lang('ThisFieldIsRequired'), 'required');
}
@@ -202,6 +204,7 @@ function show_icon_edit(element_html) {
}
$form->applyFilter('phone', 'stripslashes');
$form->applyFilter('phone', 'trim');
$form->applyFilter('phone', 'html_filter');
/*if (api_get_setting('registration', 'phone') == 'true') {
$form->addRule('phone', get_lang('ThisFieldIsRequired'), 'required');
}
@@ -4323,6 +4323,7 @@ static function set_extra_fields_in_form($form, $extra_data, $form_name, $admin_
$form->addElement('text', 'extra_'.$field_details[1], $field_details[3], array('size' => 40));
$form->applyFilter('extra_'.$field_details[1], 'stripslashes');
$form->applyFilter('extra_'.$field_details[1], 'trim');
$form->applyFilter('extra_'.$field_details[1], 'html_filter');
if (!$admin_permissions) {
if ($field_details[7] == 0)

0 comments on commit a22589a

Please sign in to comment.