MantisBT
Main | My View | View Issues | Change Log | Roadmap | Wiki | ManTweet | Repositories
  

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0012368mantisbtbugtrackerpublic2010-09-18 01:192013-04-06 09:26
Reporterdhx 
Assigned Todhx 
PrioritynormalSeverityfeatureReproducibilityN/A
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version1.3.x 
Target Version1.3.xFixed in Version1.3.x 
Summary0012368: Remove input side XSS validation of user real names
DescriptionXSS issues should be handled on the output side of MantisBT rather than on the input side. The user real name field was being validated on the input side which is poor design due to the many number of ways in which a user real name could change (SOAP API, XML import, web interface, external scripts, plugins, etc). Furthermore different output interfaces (XML, CSS, XHTML, etc) require different sanitisation and escaping methods.

Thus we should remove the input side XSS validation of the user real name field so that we allow ANY characters to be used in this field (except 0x00 of course). Our existing output layers already handle XSS sanitisation of variables such as the real name field.
Tags2.0.x check
Attached Files

- Relationships
related to 0012441resolveddaryn Unable to update custom fields due to missing function error. 
related to 0015721new Functionality to consider porting to master-2.0.x 
related to 0008743closeddhx function string_contains_scripting_chars should check for ' and " 

-  Notes
User avatar (0036231)
grangeway (developer)
2013-04-05 17:57

 Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

- Related Changesets
MantisBT: master 01d2ffad
Timestamp: 2010-09-18 05:19:30
Author: dhx
Details ] Diff ] 		Issue 0012368: Remove input side XSS validation of user real names

XSS issues should be handled on the output side of MantisBT rather than
on the input side. The user real name field was being validated on the
input side which is poor design due to the many number of ways in which
a user real name could change (SOAP API, XML import, web interface,
external scripts, plugins, etc). Furthermore different output interfaces
(XML, CSS, XHTML, etc) require different sanitisation and escaping
methods.

Thus we should remove the input side XSS validation of the user real
name field so that we allow ANY characters to be used in this field
(except 0x00 of course). Our existing output layers already handle XSS
sanitisation of variables such as the real name field.
mod - manage_user_create.php Diff ] File ]
mod - manage_user_update.php Diff ] File ]
mod - core/user_api.php Diff ] File ]
mod - core/custom_field_api.php Diff ] File ]
mod - account_update.php Diff ] File ]
mod - core/string_api.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2010-09-18 01:19 dhx New Issue
2010-09-18 01:19 dhx Status new => assigned
2010-09-18 01:19 dhx Assigned To => dhx
2010-09-18 01:22 dhx Changeset attached => MantisBT master 01d2ffad
2010-09-18 01:22 dhx Status assigned => resolved
2010-09-18 01:22 dhx Fixed in Version => 1.3.x
2010-09-18 01:22 dhx Resolution open => fixed
2010-09-18 01:22 dhx Relationship added related to 0008743
2012-10-03 08:42 dregad Relationship added related to 0012441
2013-04-05 17:57 grangeway Status resolved => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036231
2013-04-05 18:48 grangeway Relationship added related to 0015721
2013-04-06 03:44 dregad Status acknowledged => resolved
2013-04-06 07:20 grangeway Status resolved => acknowledged
2013-04-06 09:26 dregad Tag Attached: 2.0.x check
2013-04-06 09:26 dregad Status acknowledged => resolved

MantisBT 1.2.16dev master-1.2.x-8c2bd07 [^]
Copyright © 2000 - 2013 MantisBT Team
Time: 0.1135 seconds.
memory usage: 2,821 KB
Powered by Mantis Bugtracker