Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Sanitizing Javascript [nevermind]
neonerz
New
I'm very surprised this hasn't been brought up.
I'm using MyProfile with only one text box to allow people to make a "custom" profile in their About page.
We noticed that you could actually add Javascript to the profile. This seems like a huge vulnerability.
How can I sanitize the input from the end user to strip out all javascript? I know enough PHP to sanitize the input myself, if I could figure out where I could intercept the data before getting saved in Vanilla? (i.e., person presses save, I trigger a script to sanitize the javascript, then pass the data over to Vanilla to save).
0
Comments
You'll need to wrap either
Gdn_Format::Text()orhtmlspecialchars()around all user generated content inview.php. Should be as simple as that!Kasper Kronborg Isager (kasperisager) | Freelance Developer @Vanilla | Hit me up: Google Mail or Vanilla Mail | Find me on GitHub
Doesn't look like I could edit my post.
Forget this, this was my own fault. While editing the view.php code, I accidentally removed the built-in vanilla validation.
That's real good to know for the future, but in regards to this specific plugin, I just happened to mess it up while editing it
@neonerz so you retract that statement?
I’m usually very careful with stuff like this.
grep is your friend.
I think he was pretty clear it was just a goof up.
Yea. This plugin uses Gdn_Format::Auto (if you are adding a "textbox") out of the box to sanitize the input. I just accidentally removed that while I was making some edits to the plugin.