Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix security issue with posted website URL #1391

Merged
merged 1 commit into from Apr 6, 2014

Conversation

Projects
None yet
2 participants
@emanwebdev
Copy link
Contributor

commented Mar 18, 2014

Added URL sanitizing and validation

to prevent submitted URLs similar to:

http://nauthy-url.com/"><script>alert(document.cookie)</script>

++ fix wrong http:// default'ed value when no website URL was submitted since now osc_validate_url does the job

conejoninja added a commit that referenced this pull request Apr 6, 2014

Merge pull request #1391 from emanwebdev/patch-26
Fix security issue with posted website URL

@conejoninja conejoninja merged commit bf4084b into osclass:hotfixes Apr 6, 2014

@emanwebdev

This comment has been minimized.

Copy link
Contributor Author

commented Apr 7, 2014

Again, don't/can't delete that pull/that branch as it's linked to from the forum

@conejoninja

This comment has been minimized.

Copy link
Member

commented Apr 7, 2014

I'm not sure if you're tellling me to not delete the branch or that you can not delete the branch yourself.

Since the branch is on your own repository, I can not do anything about it, it's under your control.

If you want to, but can not, you could point the forums to this PR/commit and tell them it's already merged

@emanwebdev

This comment has been minimized.

Copy link
Contributor Author

commented Apr 7, 2014

sure, CAN delete it (was a reminder for me), but not sure what will happen if i delete the BRANCH. Would it leads to a 404 from the forum ?

anyway, you're right, i'd better to update the link at the post level in the forum (lazy to search for it aso :)) UPDATE: Done http://forums.osclass.org/francaise/!!-(security-fix)-pour-les-urls-des-websites-des-utilisateurs-inscrits/msg91495/#msg91495

@emanwebdev

This comment has been minimized.

Copy link
Contributor Author

commented Apr 7, 2014

@conejoninja will the URL of your commit stay "forever" ? bf4084b

if yes, i'll update the link in the forum (thus getting obsolete, it's a 20 days ago story, but people still can find the post in the forum, and UNFORTUNATELY, as i stupidly impulsively posted it here PUBLICLY, Google has indexed it and now it just shows up the breach to all, while some users are still using previous versions of Osclass (coz of plug-in compatibility issues or so)

Well, one more reason to tell people on the forum to fix it actually !

@conejoninja

This comment has been minimized.

Copy link
Member

commented Apr 7, 2014

As far as I know, and as long as github still exists, the url of the commit will stay forever

@emanwebdev emanwebdev deleted the emanwebdev:patch-26 branch Apr 7, 2014

@emanwebdev

This comment has been minimized.

Copy link
Contributor Author

commented Apr 7, 2014

OK, good to know ! that GitHub is immortal 😄

P.S. Link updated on the forum

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.