2016-12-09 06:29 EST

View Issue Details Jump to Notes ] Wiki ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0012368mantisbtsecuritypublic2014-12-08 00:33
Assigned Todhx 
Product Version1.2.15 
Target Version1.3.0-beta.1Fixed in Version1.3.0-beta.1 
Summary0012368: Remove input side XSS validation of user real names
DescriptionXSS issues should be handled on the output side of MantisBT rather than on the input side. The user real name field was being validated on the input side which is poor design due to the many number of ways in which a user real name could change (SOAP API, XML import, web interface, external scripts, plugins, etc). Furthermore different output interfaces (XML, CSS, XHTML, etc) require different sanitisation and escaping methods.

Thus we should remove the input side XSS validation of the user real name field so that we allow ANY characters to be used in this field (except 0x00 of course). Our existing output layers already handle XSS sanitisation of variables such as the real name field.
TagsNo tags attached.
Attached Files

related to 0012441closeddaryn Unable to update custom fields due to missing function error. 
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 
related to 0008743closeddhx function string_contains_scripting_chars should check for ' and " 



grangeway (reporter)

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

+Related Changesets

-Issue History
Date Modified Username Field Change
2010-09-18 01:19 dhx New Issue
2010-09-18 01:19 dhx Status new => assigned
2010-09-18 01:19 dhx Assigned To => dhx
2010-09-18 01:22 dhx Changeset attached => MantisBT master 01d2ffad
2010-09-18 01:22 dhx Status assigned => resolved
2010-09-18 01:22 dhx Fixed in Version => 1.3.0-beta.1
2010-09-18 01:22 dhx Resolution open => fixed
2010-09-18 01:22 dhx Relationship added related to 0008743
2012-10-03 08:42 dregad Relationship added related to 0012441
2013-04-05 17:57 grangeway Status resolved => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036231
2013-04-05 18:48 grangeway Relationship added related to 0015721
2013-04-06 03:44 dregad Status acknowledged => resolved
2013-04-06 07:20 grangeway Status resolved => acknowledged
2013-04-06 09:26 dregad Tag Attached: 2.0.x check
2013-04-06 09:26 dregad Status acknowledged => resolved
2013-10-18 16:11 atrol Product Version 1.3.0-beta.1 => 1.2.15
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check
2014-11-07 12:53 vboctor Category bugtracker => security
2014-12-08 00:33 vboctor Status resolved => closed
+Issue History