Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-12202

Variables read from style.cfg etc. should be htmlspecialchared

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.12
    • Fix Version/s: 3.0.13-RC1, 3.1.0-b1
    • Component/s: None
    • Labels:
      None

      Description

      Derky pointed out that variables read from style.cfg are used in HTML as is. Now, with a malicious style, you probably have bigger problems. However, when the style name contains malicious HTML, it is persisted into the log table when installing the style which may go unnoticed by the admin.
      This can be easily prevented by htmlspecialchar()ing data that is read from the files.

        Attachments

          Activity

            People

            Assignee:
            EXreaction EXreaction [X] (Inactive)
            Reporter:
            bantu Andreas Fischer
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: