mahara-contributors team mailing list archive

[Mahara Bot <1697308@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://reviews.mahara.org/7820
Committed: https://git.mahara.org/mahara/mahara/commit/d9fd5e8df31fbc55624b0e34d466765cbe6b7f5c
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    master

commit d9fd5e8df31fbc55624b0e34d466765cbe6b7f5c
Author: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
Date:   Mon Jun 12 08:49:51 2017 +1200

Security Bug 1697308: Sanitizing the registration form information

To avoid potential hacking vectors for the site

behatnotneeded

Change-Id: I53088c5e73017bc59f156483509e1bb7e8c1710a
Signed-off-by: Robert Lyon <robertl@xxxxxxxxxxxxxxx>

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1697308

Title:
  Potential attack vector via registration form

Status in Mahara:
  Fix Committed
Status in Mahara 15.04 series:
  Fix Released
Status in Mahara 16.04 series:
  Fix Released
Status in Mahara 16.10 series:
  Fix Released
Status in Mahara 17.04 series:
  Fix Released
Status in Mahara 17.10 series:
  Fix Committed

Bug description:
  As reported by Mushraf Mustafa

  By using something like

  Lastname: <img src='nothing' onerror='myFunction'>

  A user can submit potential dangerous payload to be saved as their name in the usr_registration table.
  The values are then also emailed out to the the user and admin.

  And if accepted become part of the new user's account.

  We should clean up the submitted values from the form and remove any
  HTML tags and Javascript code as that is not valid input.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1697308/+subscriptions