OJS OCS OMP OHS

You are viewing the PKP Support Forum | PKP Home Wiki



Quotes missing?

OCS development discussion, enhancement requests, third-party patches and plug-ins.

Moderators: jmacgreg, michael

Forum rules
The Public Knowledge Project Support Forum is moving to http://forum.pkp.sfu.ca

This forum will be maintained permanently as an archived historical resource, but all new questions should be added to the new forum. Questions will no longer be monitored on this old forum after March 30, 2015.

Quotes missing?

Postby lmnop » Mon Feb 16, 2009 7:59 am

Hi, just something minor I noticed (maybe even a non-issue),

On line 30 of templates/user/createAccount.tpl, I think quotes might need to be added around the value to prevent someone from injecting some funny code since $source is obtained directly from the URL. It doesn't seem to escape spaces from the URL (%20), so it might be possible to add JavaScript code in the form of a separate (maybe browser specific) attribute in the tag. Maybe I'm letting my paranoia get the best of me though...

The line looks like (this is from the CVS checkout):
Code: Select all
{if $source}
  <input type="hidden" name="source" value={$source|escape}/>
{/if}


Thanks,
Will
lmnop
 
Posts: 1
Joined: Mon Feb 16, 2009 7:29 am

Re: Quotes missing?

Postby asmecher » Mon Feb 16, 2009 8:36 am

Hi Will,

That is indeed a bug -- I've created an entry for it and corrected it in CVS; see http://pkp.sfu.ca/bugzilla/show_bug.cgi?id=4069. A quick grep didn't turn up any other examples of the same problem. Most of the injection risks are mitigated by the "escape" modifier, though it may be possible to get some very simple Javascript through.

Regards,
Alec Smecher
Public Knowledge Project Team
asmecher
 
Posts: 10015
Joined: Wed Aug 10, 2005 12:56 pm


Return to OCS Development

Who is online

Users browsing this forum: No registered users and 0 guests