Blog Documentation Book a Demo
Options

UserAward 1.4.1 Addon Security Flaw

ggaudreaggaudrea
edited May 2010 in Vanilla 2.0 - 2.8
This addon allows anyone to post arbitrary HTML/Javascript into a page by injection via the Notes field when creating an award.

Comments

  • ggaudreaggaudrea
    alert("really?");
  • StashStash
    edited May 2010 
    <script>alert("really?");</script>
    So, do you have a ptach/fix for the addon? If so, please could you post it here?
  • ggaudreaggaudrea
    My patch is so bad that I would not dare post it. :) Of course, I want to help, but I find it very hard to read and understand Vanilla code. It's basically its own language since everything has been wrapped in custom OO code. (That's not a critique, just a poor excuse on my part...)

    I just clean the NOTES output with strip_tags() and call it a day. Sorry!
  • StashStash
    Please post it, then perhaps someone else can come up with a more elegant solution! Not everyone here is a code wizard (I'm not!) so don't be embarrassed.
Sign In or Register to comment.