Skip to content

Commit c3ba5b7

Browse files
committed
xss: Install Form
This addresses an issue reported by Aishwarya Iyer where inserting `<img src =x onerror = prompt(1)` into any text field on the install form will execute in the browser after the system is installed and you log in. This is due to us not sanitizing the content before it’s saved in the database. This adds `Format::htmlchars()` to the installer to ensure the text field data is sanitized properly.
1 parent bbfff1a commit c3ba5b7

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

Diff for: setup/inc/class.installer.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -188,8 +188,8 @@ function install($vars) {
188188
'dept_id' => $dept_id,
189189
'role_id' => $role_id,
190190
'email' => $vars['admin_email'],
191-
'firstname' => $vars['fname'],
192-
'lastname' => $vars['lname'],
191+
'firstname' => Format::htmlchars($vars['fname']),
192+
'lastname' => Format::htmlchars($vars['lname']),
193193
'username' => $vars['username'],
194194
));
195195
$staff->updatePerms(array(

0 commit comments

Comments
 (0)