Fork me on GitHub
Subscribe 1

Ticket #164 (fixed bug)

base_url is never validated

  • Created: 2010-10-22 11:00:09
  • Reported by: Reines
  • Assigned to: Reines
  • Milestone: 1.4.3
  • Component: security
  • Priority: normal

The $pun_config['o_base_url'] is never escaped before output, however is never validated when input either.

Really this isn't a problem, since only admins can trigger it - and if you have admin access you already have permission to add HTML in board descriptions etc.

History

Reines 2010-10-22 11:49:47

I've escaped some of the output, however not yet in extern.php.

It is used quite often in email link generation, but since emails are send as plain-text rather than HTML that isn't a problem.

Reines 2010-10-22 23:06:10

  • Visibility set to public.

Reines 2010-10-23 13:11:25

  • Status changed from open to fixed.