Reviewed: https://reviews.mahara.org/7820 Committed: https://git.mahara.org/mahara/mahara/commit/d9fd5e8df31fbc55624b0e34d466765cbe6b7f5c Submitter: Robert Lyon ([email protected]) Branch: master
commit d9fd5e8df31fbc55624b0e34d466765cbe6b7f5c Author: Robert Lyon <[email protected]> Date: Mon Jun 12 08:49:51 2017 +1200 Security Bug 1697308: Sanitizing the registration form information To avoid potential hacking vectors for the site behatnotneeded Change-Id: I53088c5e73017bc59f156483509e1bb7e8c1710a Signed-off-by: Robert Lyon <[email protected]> -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1697308 Title: Potential attack vector via registration form Status in Mahara: Fix Committed Status in Mahara 15.04 series: Fix Released Status in Mahara 16.04 series: Fix Released Status in Mahara 16.10 series: Fix Released Status in Mahara 17.04 series: Fix Released Status in Mahara 17.10 series: Fix Committed Bug description: As reported by Mushraf Mustafa By using something like Lastname: <img src='nothing' onerror='myFunction'> A user can submit potential dangerous payload to be saved as their name in the usr_registration table. The values are then also emailed out to the the user and admin. And if accepted become part of the new user's account. We should clean up the submitted values from the form and remove any HTML tags and Javascript code as that is not valid input. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1697308/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
