HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Sanitizing Javascript [nevermind]

This discussion is related to the MyProfile addon.
neonerzneonerz New
edited December 2013 in Vanilla 2.0 - 2.8

I'm very surprised this hasn't been brought up.

I'm using MyProfile with only one text box to allow people to make a "custom" profile in their About page.

We noticed that you could actually add Javascript to the profile. This seems like a huge vulnerability.

How can I sanitize the input from the end user to strip out all javascript? I know enough PHP to sanitize the input myself, if I could figure out where I could intercept the data before getting saved in Vanilla? (i.e., person presses save, I trigger a script to sanitize the javascript, then pass the data over to Vanilla to save).

Comments

  • KasperKasper Scholar of the Bits Copenhagen Vanilla Staff

    You'll need to wrap either Gdn_Format::Text() or htmlspecialchars() around all user generated content in view.php. Should be as simple as that!

    Kasper Kronborg Isager (kasperisager) | Freelance Developer @Vanilla | Hit me up: Google Mail or Vanilla Mail | Find me on GitHub

    hgtonight
  • Doesn't look like I could edit my post.

    Forget this, this was my own fault. While editing the view.php code, I accidentally removed the built-in vanilla validation.

    hgtonight
  • @Kasper said:
    You'll need to wrap either Gdn_Format::Text() or htmlspecialchars() around all user generated content in view.php. Should be as simple as that!

    That's real good to know for the future, but in regards to this specific plugin, I just happened to mess it up while editing it :D

    hgtonight
  • @neonerz so you retract that statement?

    I’m usually very careful with stuff like this.

    grep is your friend.

  • LincLinc Detroit Admin

    I think he was pretty clear it was just a goof up.

  • Yea. This plugin uses Gdn_Format::Auto (if you are adding a "textbox") out of the box to sanitize the input. I just accidentally removed that while I was making some edits to the plugin.

Sign In or Register to comment.