You are here: Foswiki>Tasks Web>Item9985 (16 Mar 2011, CrawfordCurrie)Edit Attach

Item9985: Problem on login page?

pencil
Priority: Normal
Current State: No Action Required
Released In: n/a
Target Release: n/a
Applies To: Engine
Component:
Branches:
Reported By: DaveHayes
Waiting For:
Last Change By: CrawfordCurrie
The attached two pdf files will show the results of entering "foo@bar.org" in the username field and "[asdf]" in the username field.

-- DaveHayes - 09 Nov 2010

The problem is that the template renders the value that was entered.

Emails become mailto addressed and square links become links also.

But < and > are encoded which should prevent most XSS attacks.

But we should fix stop this rendering.

Anyone fixing this - do not make a fix that makes only A-Z0-9 work. Login names can be with both punktuation and non English characters.

-- KennethLavrsen - 09 Nov 2010
 

This is reproducible on 1.0.9 but not on 1.1.3beta1 or trunk.

Closing.

-- CrawfordCurrie - 16 Mar 2011

ItemTemplate edit

Summary Problem on login page?
ReportedBy DaveHayes
Codebase 1.1.1
SVN Range
AppliesTo Engine
Component
Priority Normal
CurrentState No Action Required
WaitingFor
Checkins
TargetRelease n/a
ReleasedIn n/a
I Attachment Action Size Date Who Comment
fosbug.pdfpdf fosbug.pdf manage 56 K 09 Nov 2010 - 22:11 DaveHayes Result of foo@bar.org username entry
fosbug2.pdfpdf fosbug2.pdf manage 57 K 09 Nov 2010 - 22:12 DaveHayes Result of [asdf] username entry
Edit  | Attach | Print version | History: r3 < r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r3 - 16 Mar 2011, CrawfordCurrie
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy