Users running a non-download version of Vanilla (pulled from github), on branch release/2019.016 or master from the last 2 weeks should upgrade to release/2019.017 or latest master for security reasons. Downloaded official open sources releases are not affected.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

UserAward 1.4.1 Addon Security Flaw

edited May 2010 in Vanilla 2.0 - 2.8
This addon allows anyone to post arbitrary HTML/Javascript into a page by injection via the Notes field when creating an award.


  • alert("really?");
  • [-Stash-][-Stash-]
    edited May 2010
    So, do you have a ptach/fix for the addon? If so, please could you post it here?
  • My patch is so bad that I would not dare post it. :) Of course, I want to help, but I find it very hard to read and understand Vanilla code. It's basically its own language since everything has been wrapped in custom OO code. (That's not a critique, just a poor excuse on my part...)

    I just clean the NOTES output with strip_tags() and call it a day. Sorry!
  • Please post it, then perhaps someone else can come up with a more elegant solution! Not everyone here is a code wizard (I'm not!) so don't be embarrassed.
Sign In or Register to comment.