Bug fix: correct XSS problems (prevent username with non-alphanumeric characters, protect profile page)

git-svn-id: https://semanticscuttle.svn.sourceforge.net/svnroot/semanticscuttle/trunk@157 b3834d28-1941-0410-a4f8-b48e95affb8f

services/userservice.php

@@ -393,8 +393,9 @@ class UserService {
         	if (strlen($username) > 24) {
         		// too long usernames are cut by database and may cause bugs when compared 
         		return false;
-        	} else {
+        	} elseif (preg_match('/(\W)/', $username) > 0) {
-        		return true;
+        		// forbidden non-alphanumeric characters
+        		return false;
         	}
         	return true;
         }        

templates/editprofile.tpl.php

@@ -40,7 +40,7 @@ $this->includeTemplate($GLOBALS['top_include']);
 </tr>
 <tr>
     <th align="left"><?php echo T_('Homepage'); ?></th>
-    <td><input type="text" name="pPage" size="75" value="<?php echo filter($row['homepage'], 'xml'); ?>" /></td>
+    <td><input type="text" name="pPage" size="75" value="<?php echo filter($row['homepage']); ?>" /></td>
 </tr>
 <tr>
     <th align="left"><?php echo T_('Description'); ?></th>

templates/profile.tpl.php

@@ -10,13 +10,13 @@ $this->includeTemplate($GLOBALS['top_include']);
 if ($row['name'] != "") {
 ?>
 <dt><?php echo T_('Name'); ?></dt>
-    <dd><?php echo $row['name']; ?></dd>
+    <dd><?php echo filter($row['name']); ?></dd>
 <?php
 }
 if ($row['homepage'] != "") {
 ?>
 <dt><?php echo T_('Homepage'); ?></dt>
-    <dd><a href="<?php echo $row['homepage']; ?>"><?php echo $row['homepage']; ?></a></dd>
+    <dd><a href="<?php echo filter($row['homepage'], 'url'); ?>"><?php echo filter($row['homepage']); ?></a></dd>
 <?php
 }
 ?>