Blog Documentation Book a Demo
Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

UserAward 1.4.1 Addon Security Flaw

ggaudreaggaudrea
edited May 2010 in Vanilla 2.0 - 2.8
This addon allows anyone to post arbitrary HTML/Javascript into a page by injection via the Notes field when creating an award.

Comments

  • ggaudreaggaudrea
    alert("really?");
  • StashStash
    edited May 2010 
    <script>alert("really?");</script>
    So, do you have a ptach/fix for the addon? If so, please could you post it here?
  • ggaudreaggaudrea
    My patch is so bad that I would not dare post it. :) Of course, I want to help, but I find it very hard to read and understand Vanilla code. It's basically its own language since everything has been wrapped in custom OO code. (That's not a critique, just a poor excuse on my part...)

    I just clean the NOTES output with strip_tags() and call it a day. Sorry!
  • StashStash
    Please post it, then perhaps someone else can come up with a more elegant solution! Not everyone here is a code wizard (I'm not!) so don't be embarrassed.
Sign In or Register to comment.