Item9985: Problem on login page?
Priority: Normal
Current State: No Action Required
Released In: n/a
Target Release: n/a
Applies To: Engine
Component:
Branches:
The attached two pdf files will show the results of entering "foo@bar.org
" in the username field and "[asdf]" in the username field.
-- DaveHayes - 09 Nov 2010
The problem is that the template renders the value that was entered.
Emails become mailto addressed and square links become links also.
But < and > are encoded which should prevent most XSS attacks.
But we should fix stop this rendering.
Anyone fixing this - do not make a fix that makes only A-Z0-9 work. Login names can be with both punktuation and non English characters.
-- KennethLavrsen - 09 Nov 2010
This is reproducible on 1.0.9 but not on 1.1.3beta1 or trunk.
Closing.
-- CrawfordCurrie - 16 Mar 2011