View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0008743 | mantisbt | security | public | 2008-01-13 14:13 | 2011-08-05 02:25 |
Reporter | schoenfeld | Assigned To | dhx | ||
Priority | normal | Severity | tweak | Reproducibility | have not tried |
Status | closed | Resolution | won't fix | ||
Summary | 0008743: function string_contains_scripting_chars should check for ' and " | ||||
Description | The function string_contains_scripting_chars in core/string_api.php is only checking for the ocurrence of '>' and '<'. To avoid XSS attacks this is inadequate under certain cirumstances. Such circumstances are not yet in the mantis code, but they could become true in the future, therefore the function should be enhanced to also check for the ocurrence of ' and ". | ||||
Tags | No tags attached. | ||||
Attached Files | 8743.patch (755 bytes)
diff -u -urN mantis-1.1.0.orig/core/string_api.php mantis-1.1.0/core/string_api.php --- mantis-1.1.0.orig/core/string_api.php 2008-01-13 20:07:45.270746335 +0100 +++ mantis-1.1.0/core/string_api.php 2008-01-13 20:13:04.752952588 +0100 @@ -716,7 +716,8 @@ # -------------------- # Checks the supplied string for scripting characters, if it contains any, then return true, otherwise return false. function string_contains_scripting_chars( $p_string ) { - if ( ( strstr( $p_string, '<' ) !== false ) || ( strstr( $p_string, '>' ) !== false ) ) { + if ( ( strstr( $p_string, '<' ) !== false ) || ( strstr( $p_string, '>' ) !== false ) || + ( strstr( $p_string, '\'') !== false ) || ( strstr( $p_string, '"' ) !== false ) ) return true; } | ||||
The attached patch hopefully fixes the issue. However: It is untested. |
|
Ouch, I think we should just get rid of that ugly function... I checked and it used 3 times in the whole code:
Now, your patch breaks 3, as surnames like O'Grady will become invalid, but the main point is that I fail to see why we should prevent users real names or custom fields from containing > and < Of course, provided we ENSURE all output is properly escaped to avoid XSS... |
|
Agreed that this is a fairly useless function. We should be replacing > and < with safe output such as > and < instead. Imagine semi-colons at the end there :) |
|
Won't fix as per removal of input side real name validation in 0012368. |
|