You are viewing the PKP Support Forum | PKP Home Wiki

Quotes missing?

OCS development discussion, enhancement requests, third-party patches and plug-ins.

Moderators: jmacgreg, michael

Forum rules
Developer Resources:

Documentation: The OJS Technical Reference and the OJS API Reference are both available from the OJS Documentation page. While these are OJS-specific, the OCS codebase is similar enough to OJS they should be of help. There is also an [url=http://pkp.sfu.ca/ocs_documentation[/url]OCS Documentation[/url] page with some more general documentation that might also be of interest.

Git: You can access our public Git Repository here. Comprehensive Git usage instructions are available on the wiki.

Bugzilla: You can access our Bugzilla report tracker here.

Search: You can use our Google Custom Search to search across our main website, the support forum, and Bugzilla.

Questions and discussion are welcome, but if you have a workflow or usability question you should probably post to the OCS Conference Support and Discussion subforum; if you have a technical support question, try the OCS Technical Support subforum.

Quotes missing?

Postby lmnop » Mon Feb 16, 2009 7:59 am

Hi, just something minor I noticed (maybe even a non-issue),

On line 30 of templates/user/createAccount.tpl, I think quotes might need to be added around the value to prevent someone from injecting some funny code since $source is obtained directly from the URL. It doesn't seem to escape spaces from the URL (%20), so it might be possible to add JavaScript code in the form of a separate (maybe browser specific) attribute in the tag. Maybe I'm letting my paranoia get the best of me though...

The line looks like (this is from the CVS checkout):
Code: Select all
{if $source}
  <input type="hidden" name="source" value={$source|escape}/>

Posts: 1
Joined: Mon Feb 16, 2009 7:29 am

Re: Quotes missing?

Postby asmecher » Mon Feb 16, 2009 8:36 am

Hi Will,

That is indeed a bug -- I've created an entry for it and corrected it in CVS; see http://pkp.sfu.ca/bugzilla/show_bug.cgi?id=4069. A quick grep didn't turn up any other examples of the same problem. Most of the injection risks are mitigated by the "escape" modifier, though it may be possible to get some very simple Javascript through.

Alec Smecher
Public Knowledge Project Team
Posts: 10015
Joined: Wed Aug 10, 2005 12:56 pm

Return to OCS Development

Who is online

Users browsing this forum: No registered users and 0 guests