View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0012368mantisbtsecuritypublic2010-09-18 01:192014-12-08 00:33
Reporterdhx Assigned Todhx  
PrioritynormalSeverityfeatureReproducibilityN/A
Status closedResolutionfixed 
Product Version1.2.15 
Target Version1.3.0-beta.1Fixed in Version1.3.0-beta.1 
Summary0012368: Remove input side XSS validation of user real names
Description

XSS issues should be handled on the output side of MantisBT rather than on the input side. The user real name field was being validated on the input side which is poor design due to the many number of ways in which a user real name could change (SOAP API, XML import, web interface, external scripts, plugins, etc). Furthermore different output interfaces (XML, CSS, XHTML, etc) require different sanitisation and escaping methods.

Thus we should remove the input side XSS validation of the user real name field so that we allow ANY characters to be used in this field (except 0x00 of course). Our existing output layers already handle XSS sanitisation of variables such as the real name field.

TagsNo tags attached.

Relationships

related to 0012441 closeddaryn Unable to update custom fields due to missing function error. 
related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 
related to 0008743 closeddhx function string_contains_scripting_chars should check for ' and " 

Activities

grangeway

grangeway

2013-04-05 17:57

reporter   ~0036231

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master 01d2ffad

2010-09-18 01:19

dhx


Details Diff		 Issue 0012368: Remove input side XSS validation of user real names

XSS issues should be handled on the output side of MantisBT rather than
on the input side. The user real name field was being validated on the
input side which is poor design due to the many number of ways in which
a user real name could change (SOAP API, XML import, web interface,
external scripts, plugins, etc). Furthermore different output interfaces
(XML, CSS, XHTML, etc) require different sanitisation and escaping
methods.

Thus we should remove the input side XSS validation of the user real
name field so that we allow ANY characters to be used in this field
(except 0x00 of course). Our existing output layers already handle XSS
sanitisation of variables such as the real name field.		 Affected Issues
0012368
mod - manage_user_create.php Diff File
mod - manage_user_update.php Diff File
mod - core/user_api.php Diff File
mod - core/custom_field_api.php Diff File
mod - account_update.php Diff File
mod - core/string_api.php Diff File