Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product
Please upgrade here. These earlier versions are no longer being updated and have security issues.

UserAward 1.4.1 Addon Security Flaw

edited May 2010 in Vanilla 2.0 - 2.3
This addon allows anyone to post arbitrary HTML/Javascript into a page by injection via the Notes field when creating an award.

Comments

  • alert("really?");
  • [-Stash-][-Stash-]
    edited May 2010
    <script>alert("really?");</script>
    So, do you have a ptach/fix for the addon? If so, please could you post it here?
  • My patch is so bad that I would not dare post it. :) Of course, I want to help, but I find it very hard to read and understand Vanilla code. It's basically its own language since everything has been wrapped in custom OO code. (That's not a critique, just a poor excuse on my part...)

    I just clean the NOTES output with strip_tags() and call it a day. Sorry!
  • Please post it, then perhaps someone else can come up with a more elegant solution! Not everyone here is a code wizard (I'm not!) so don't be embarrassed.
Sign In or Register to comment.