Bug fix: correct XSS problems (prevent username with non-alphanumeric characters, protect profile page)

git-svn-id: https://semanticscuttle.svn.sourceforge.net/svnroot/semanticscuttle/trunk@157 b3834d28-1941-0410-a4f8-b48e95affb8f
This commit is contained in:
mensonge 2008-11-14 14:38:55 +00:00
parent 67a13f74ce
commit 8bc7ad4383
3 changed files with 6 additions and 5 deletions

View file

@ -393,8 +393,9 @@ class UserService {
if (strlen($username) > 24) { if (strlen($username) > 24) {
// too long usernames are cut by database and may cause bugs when compared // too long usernames are cut by database and may cause bugs when compared
return false; return false;
} else { } elseif (preg_match('/(\W)/', $username) > 0) {
return true; // forbidden non-alphanumeric characters
return false;
} }
return true; return true;
} }

View file

@ -40,7 +40,7 @@ $this->includeTemplate($GLOBALS['top_include']);
</tr> </tr>
<tr> <tr>
<th align="left"><?php echo T_('Homepage'); ?></th> <th align="left"><?php echo T_('Homepage'); ?></th>
<td><input type="text" name="pPage" size="75" value="<?php echo filter($row['homepage'], 'xml'); ?>" /></td> <td><input type="text" name="pPage" size="75" value="<?php echo filter($row['homepage']); ?>" /></td>
</tr> </tr>
<tr> <tr>
<th align="left"><?php echo T_('Description'); ?></th> <th align="left"><?php echo T_('Description'); ?></th>

View file

@ -10,13 +10,13 @@ $this->includeTemplate($GLOBALS['top_include']);
if ($row['name'] != "") { if ($row['name'] != "") {
?> ?>
<dt><?php echo T_('Name'); ?></dt> <dt><?php echo T_('Name'); ?></dt>
<dd><?php echo $row['name']; ?></dd> <dd><?php echo filter($row['name']); ?></dd>
<?php <?php
} }
if ($row['homepage'] != "") { if ($row['homepage'] != "") {
?> ?>
<dt><?php echo T_('Homepage'); ?></dt> <dt><?php echo T_('Homepage'); ?></dt>
<dd><a href="<?php echo $row['homepage']; ?>"><?php echo $row['homepage']; ?></a></dd> <dd><a href="<?php echo filter($row['homepage'], 'url'); ?>"><?php echo filter($row['homepage']); ?></a></dd>
<?php <?php
} }
?> ?>