Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-12202

Variables read from style.cfg etc. should be htmlspecialchared

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.12
    • Fix Version/s: 3.0.13-RC1, 3.1.0-b1
    • Component/s: None
    • Labels:
      None

      Description

      Derky pointed out that variables read from style.cfg are used in HTML as is. Now, with a malicious style, you probably have bigger problems. However, when the style name contains malicious HTML, it is persisted into the log table when installing the style which may go unnoticed by the admin.
      This can be easily prevented by htmlspecialchar()ing data that is read from the files.

        Attachments

          Activity

            People

            • Assignee:
              EXreaction EXreaction [X] (Inactive)
              Reporter:
              bantu Andreas Fischer
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: