View Issue Details

IDProjectCategoryView StatusLast Update
0012368mantisbtsecuritypublic2014-12-08 00:33
Reporterdhx 
Assigned Todhx 
PrioritynormalSeverityfeatureReproducibilityN/A
Status closedResolutionfixed 
Product Version1.2.15 
Target Version1.3.0-beta.1Fixed in Version1.3.0-beta.1 
Summary0012368: Remove input side XSS validation of user real names
Description

XSS issues should be handled on the output side of MantisBT rather than on the input side. The user real name field was being validated on the input side which is poor design due to the many number of ways in which a user real name could change (SOAP API, XML import, web interface, external scripts, plugins, etc). Furthermore different output interfaces (XML, CSS, XHTML, etc) require different sanitisation and escaping methods.

Thus we should remove the input side XSS validation of the user real name field so that we allow ANY characters to be used in this field (except 0x00 of course). Our existing output layers already handle XSS sanitisation of variables such as the real name field.

TagsNo tags attached.

Relationships

related to 0012441 closeddaryn Unable to update custom fields due to missing function error. 
related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 
related to 0008743 closeddhx function string_contains_scripting_chars should check for ' and " 

Activities

grangeway

grangeway

2013-04-05 17:57

reporter   ~0036231

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master 01d2ffad

2010-09-18 05:19:30

dhx

Details Diff
Issue 0012368: Remove input side XSS validation of user real names

XSS issues should be handled on the output side of MantisBT rather than
on the input side. The user real name field was being validated on the
input side which is poor design due to the many number of ways in which
a user real name could change (SOAP API, XML import, web interface,
external scripts, plugins, etc). Furthermore different output interfaces
(XML, CSS, XHTML, etc) require different sanitisation and escaping
methods.

Thus we should remove the input side XSS validation of the user real
name field so that we allow ANY characters to be used in this field
(except 0x00 of course). Our existing output layers already handle XSS
sanitisation of variables such as the real name field.
mod - manage_user_create.php Diff File
mod - manage_user_update.php Diff File
mod - core/user_api.php Diff File
mod - core/custom_field_api.php Diff File
mod - account_update.php Diff File
mod - core/string_api.php Diff File

Issue History

Date Modified Username Field Change
2010-09-18 01:19 dhx New Issue
2010-09-18 01:19 dhx Status new => assigned
2010-09-18 01:19 dhx Assigned To => dhx
2010-09-18 01:22 dhx Changeset attached => MantisBT master 01d2ffad
2010-09-18 01:22 dhx Status assigned => resolved
2010-09-18 01:22 dhx Fixed in Version => 1.3.0-beta.1
2010-09-18 01:22 dhx Resolution open => fixed
2010-09-18 01:22 dhx Relationship added related to 0008743
2012-10-03 08:42 dregad Relationship added related to 0012441
2013-04-05 17:57 grangeway Status resolved => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036231
2013-04-05 18:48 grangeway Relationship added related to 0015721
2013-04-06 03:44 dregad Status acknowledged => resolved
2013-04-06 07:20 grangeway Status resolved => acknowledged
2013-04-06 09:26 dregad Tag Attached: 2.0.x check
2013-04-06 09:26 dregad Status acknowledged => resolved
2013-10-18 16:11 atrol Product Version 1.3.0-beta.1 => 1.2.15
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check
2014-11-07 12:53 vboctor Category bugtracker => security
2014-12-08 00:33 vboctor Status resolved => closed