View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0004018 | mantisbt | security | public | 2004-07-07 23:38 | 2006-10-09 11:54 |
Reporter | int2str | Assigned To | int2str | ||
Priority | immediate | Severity | block | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Fixed in Version | 0.19.0a2 | ||||
Summary | 0004018: Real name field allows potentially dangerous HTML | ||||
Description | HTML isn't stripped or filtered from the real name field. I've tested it with crude JavaScript and it runs it. This is a very high security risk and must be fixed immediately. | ||||
Tags | No tags attached. | ||||
Reminder sent to vboctor Victor, I will fix this right now. Please consider a warning on the Mantis homepage and lets release a fix or a new alpha right away! |
|
Fixed in CVS. Here is the diff for the change, so people can apply it by hand if necessary: |
|
Given that it is an alpha version and it is not recommended for users to install it on production system. I am considering to wait for the alpha 2 version which I am thinking of releasing next week. What do you think? I just want to get some feedback of the issues that users find, and fix them before we release the next alpha. I am talking here about the sort of blocking issues like broken search, ...etc. |
|
I applied the patch to this installation. However, I think if someone already added a name with a Javascript, then the patch won't stop it from executing, right? |
|
MantisBT: master 3ae3dbbe 2004-07-08 00:54 int2str Details Diff |
* Fix 0004018: Real name field allows potentially dangerous HTML git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@2665 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0004018 |
|
mod - doc/ChangeLog | Diff File | ||
mod - account_update.php | Diff File |