Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
This discussion is related to the MyProfile addon.
edited December 2013 in Vanilla 2.0 - 2.8
I'm very surprised this hasn't been brought up.
I'm using MyProfile with only one text box to allow people to make a "custom" profile in their About page.
You'll need to wrap either
htmlspecialchars()around all user generated content in
view.php. Should be as simple as that!
Kasper Kronborg Isager (kasperisager) | Freelance Developer @Vanilla | Hit me up: Google Mail or Vanilla Mail | Find me on GitHub
Doesn't look like I could edit my post.
Forget this, this was my own fault. While editing the view.php code, I accidentally removed the built-in vanilla validation.
That's real good to know for the future, but in regards to this specific plugin, I just happened to mess it up while editing it
@neonerz so you retract that statement?
I’m usually very careful with stuff like this.
grep is your friend.
I think he was pretty clear it was just a goof up.
Yea. This plugin uses Gdn_Format::Auto (if you are adding a "textbox") out of the box to sanitize the input. I just accidentally removed that while I was making some edits to the plugin.