Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Sanitizing Javascript [nevermind]

neonerzneonerz New
edited December 2013 in Vanilla 2.0 - 2.8

I'm very surprised this hasn't been brought up.

I'm using MyProfile with only one text box to allow people to make a "custom" profile in their About page.

We noticed that you could actually add Javascript to the profile. This seems like a huge vulnerability.

How can I sanitize the input from the end user to strip out all javascript? I know enough PHP to sanitize the input myself, if I could figure out where I could intercept the data before getting saved in Vanilla? (i.e., person presses save, I trigger a script to sanitize the javascript, then pass the data over to Vanilla to save).

Comments

  • KasperKasper Scholar of the Bits Copenhagen Vanilla Staff

    You'll need to wrap either Gdn_Format::Text() or htmlspecialchars() around all user generated content in view.php. Should be as simple as that!

    Kasper Kronborg Isager (kasperisager) | Freelance Developer @Vanilla | Hit me up: Google Mail or Vanilla Mail | Find me on GitHub

    hgtonight
  • Doesn't look like I could edit my post.

    Forget this, this was my own fault. While editing the view.php code, I accidentally removed the built-in vanilla validation.

    hgtonight
  • @Kasper said:
    You'll need to wrap either Gdn_Format::Text() or htmlspecialchars() around all user generated content in view.php. Should be as simple as that!

    That's real good to know for the future, but in regards to this specific plugin, I just happened to mess it up while editing it :D

    hgtonight
  • @neonerz so you retract that statement?

    I’m usually very careful with stuff like this.

    grep is your friend.

  • LincLinc Detroit Admin

    I think he was pretty clear it was just a goof up.

  • Yea. This plugin uses Gdn_Format::Auto (if you are adding a "textbox") out of the box to sanitize the input. I just accidentally removed that while I was making some edits to the plugin.

Sign In or Register to comment.