OJS OCS OMP OHS

You are viewing the PKP Support Forum | PKP Home Wiki

PKP Support

Support forums for the Public Knowledge Project

Skip to content


Software Hosting and Development Services available at PKP Publishing Services

As the developers of Open Journal Systems, Open Conference Systems, Open Harvester Systems, and Open Monograph Press, the PKP team are experts in helping journal managers and conference organizers make the most of their online publishing projects. PKP Publishing Services offers support for:

As a customer of PKP Publishing Services, you will not only receive direct, personalized support from the PKP Development Team, but will be contributing to the ongoing development of the PKP applications. All funds raised by PKP Publishing Services go directly toward enhancing our free, open source software. For more information, please contact us.

Quotes missing?

OCS development discussion, enhancement requests, third-party patches and plug-ins.

Moderators: jmacgreg, michael

Forum rules
Developer Resources:

Documentation: The OJS Technical Reference and the OJS API Reference are both available from the OJS Documentation page. While these are OJS-specific, the OCS codebase is similar enough to OJS they should be of help. There is also an [url=http://pkp.sfu.ca/ocs_documentation[/url]OCS Documentation[/url] page with some more general documentation that might also be of interest.

Git: You can access our public Git Repository here. Comprehensive Git usage instructions are available on the wiki.

Bugzilla: You can access our Bugzilla report tracker here.

Search: You can use our Google Custom Search to search across our main website, the support forum, and Bugzilla.

Questions and discussion are welcome, but if you have a workflow or usability question you should probably post to the OCS Conference Support and Discussion subforum; if you have a technical support question, try the OCS Technical Support subforum.
Post a reply

Quotes missing?

Postby lmnop » Mon Feb 16, 2009 7:59 am

Hi, just something minor I noticed (maybe even a non-issue),

On line 30 of templates/user/createAccount.tpl, I think quotes might need to be added around the value to prevent someone from injecting some funny code since $source is obtained directly from the URL. It doesn't seem to escape spaces from the URL (%20), so it might be possible to add JavaScript code in the form of a separate (maybe browser specific) attribute in the tag. Maybe I'm letting my paranoia get the best of me though...

The line looks like (this is from the CVS checkout):
Code: Select all
{if $source}
  <input type="hidden" name="source" value={$source|escape}/>
{/if}


Thanks,
Will
lmnop
 
Posts: 1
Joined: Mon Feb 16, 2009 7:29 am
Top

Re: Quotes missing?

Postby asmecher » Mon Feb 16, 2009 8:36 am

Hi Will,

That is indeed a bug -- I've created an entry for it and corrected it in CVS; see http://pkp.sfu.ca/bugzilla/show_bug.cgi?id=4069. A quick grep didn't turn up any other examples of the same problem. Most of the injection risks are mitigated by the "escape" modifier, though it may be possible to get some very simple Javascript through.

Regards,
Alec Smecher
Public Knowledge Project Team
asmecher
 
Posts: 5769
Joined: Wed Aug 10, 2005 12:56 pm
Top
Post a reply

Return to OCS Development

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB® Forum Software © phpBB Group
cron