Skip to content
Browse files

xss: Install Form

This addresses an issue reported by Aishwarya Iyer where inserting `<img src
=x onerror = prompt(1)` into any text field on the install form will execute
in the browser after the system is installed and you log in. This is due to
us not sanitizing the content before it’s saved in the database. This adds
`Format::htmlchars()` to the installer to ensure the text field data is
sanitized properly.
  • Loading branch information...
JediKev committed Jun 19, 2019
1 parent bbfff1a commit c3ba5b78261e07a883ad8fac28c214486c854e12
Showing with 2 additions and 2 deletions.
  1. +2 −2 setup/inc/class.installer.php
@@ -188,8 +188,8 @@ function install($vars) {
'dept_id' => $dept_id,
'role_id' => $role_id,
'email' => $vars['admin_email'],
'firstname' => $vars['fname'],
'lastname' => $vars['lname'],
'firstname' => Format::htmlchars($vars['fname']),
'lastname' => Format::htmlchars($vars['lname']),
'username' => $vars['username'],

0 comments on commit c3ba5b7

Please sign in to comment.
You can’t perform that action at this time.