View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0012368 | mantisbt | security | public | 2010-09-18 01:19 | 2014-12-08 00:33 |
Reporter | dhx | Assigned To | dhx | ||
Priority | normal | Severity | feature | Reproducibility | N/A |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.15 | ||||
Target Version | 1.3.0-beta.1 | Fixed in Version | 1.3.0-beta.1 | ||
Summary | 0012368: Remove input side XSS validation of user real names | ||||
Description | XSS issues should be handled on the output side of MantisBT rather than on the input side. The user real name field was being validated on the input side which is poor design due to the many number of ways in which a user real name could change (SOAP API, XML import, web interface, external scripts, plugins, etc). Furthermore different output interfaces (XML, CSS, XHTML, etc) require different sanitisation and escaping methods. Thus we should remove the input side XSS validation of the user real name field so that we allow ANY characters to be used in this field (except 0x00 of course). Our existing output layers already handle XSS sanitisation of variables such as the real name field. | ||||
Tags | No tags attached. | ||||
MantisBT: master 01d2ffad 2010-09-18 01:19 Details Diff |
Issue 0012368: Remove input side XSS validation of user real names XSS issues should be handled on the output side of MantisBT rather than on the input side. The user real name field was being validated on the input side which is poor design due to the many number of ways in which a user real name could change (SOAP API, XML import, web interface, external scripts, plugins, etc). Furthermore different output interfaces (XML, CSS, XHTML, etc) require different sanitisation and escaping methods. Thus we should remove the input side XSS validation of the user real name field so that we allow ANY characters to be used in this field (except 0x00 of course). Our existing output layers already handle XSS sanitisation of variables such as the real name field. |
Affected Issues 0012368 |
|
mod - manage_user_create.php | Diff File | ||
mod - manage_user_update.php | Diff File | ||
mod - core/user_api.php | Diff File | ||
mod - core/custom_field_api.php | Diff File | ||
mod - account_update.php | Diff File | ||
mod - core/string_api.php | Diff File |