Fork me on GitHub
Subscribe 2

Ticket #829 (fixed bug)

Category not escaped on profile/administration page

  • Created: 2013-02-06 11:04:13
  • Reported by: Wieke
  • Assigned to: Franz
  • Milestone: 1.5.3
  • Component: security
  • Priority: normal

Hi

Found a bug similar to ticket 781. But this one involves category names on a users profile/administration page.

  1. Create a category containing an ampersand.

  2. Navigate, as admin, to a user's profile.

  3. Click on administration.

I've tried replacing the ampersand with &. This works but only for the user/administration page, on the forum index it will literally show as &.

After some messing about with the profile.php code I found the following solution.

Replace (line 1786 in my code)

echo "\t\t\t\t\t\t\t".'<div class="conl">'."\n\t\t\t\t\t\t\t\t".'<p><strong>'.$cur_forum['cat_name'].'</strong></p>'."\n\t\t\t\t\t\t\t\t".'<div class="rbox">';

with

echo "\t\t\t\t\t\t\t".'<div class="conl">'."\n\t\t\t\t\t\t\t\t".'<p><strong>'.pun_htmlspecialchars($cur_forum['cat_name']).'</strong></p>'."\n\t\t\t\t\t\t\t\t".'<div class="rbox">';

Have a nice day,

Wieke

History

Franz 2013-02-06 22:48:43

  • Component changed from parser to security.
  • Milestone set to 1.5.3.
  • Owner set to Franz.

Franz 2013-02-08 09:07:50

  • Summary changed from Caregory not escaped on profile/administration page. to Category not escaped on profile/administration page.

Franz 2013-02-21 22:36:59

Commit 3a225de to fluxbb master

#829: Escape category name on profile administration page.

Franz 2013-02-22 11:11:12

  • Status changed from open to fixed.

Thanks for the report!