#838 closed defect (bug) (fixed)
HTML in Profile Name Field
Reported by: | Magganpice | Owned by: | johnjamesjacoby |
---|---|---|---|
Milestone: | 1.1 | Priority: | critical |
Severity: | Version: | ||
Component: | Keywords: | has-patch, security, html | |
Cc: |
Description
A user can enter an HTML-String like:
<b /><a href="http://whateverwhatever.com/?q=Ano+Nymous+0">Ano Nymous 0</a>
into the name field in his profile. This leads to broken menu items and can lead to the misleading of users to phishing websites. For instance, when that user then sends friend requests to other people and the click on the "Ano Nymous sent you a fried request" in their menu, they are sent to the external site...
Attachments (2)
Change History (12)
#3
@
15 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
I will have to reopen this (sorry). Since the HTML is still saved in the profile field, this does not only affect the activity streams. It also appears in blogs (I will try to upload a screenshot here).
Best would be to strip the HTML out of those fields when saving (or encoding it), that would eliminate the problem in all the places it still appears.
You can try this by entering "<strike>Peter Miller" into your "name" field in your profile. Then head into a blog post and you see half the page has a strike through.
#5
@
15 years ago
- Keywords has-patch added
Added potential patch option.
Does a quick sanitize of the bp_core_get_user_displayname function to strip out PHP and HTML on display.
A part of this is fixed in testbp.org - but with HTML in my profile "name" field, I still get display errors when commenting in blogs. So, best solution would be to strip out HTML directly after the user edits his profile (and not in each display function).