MantisBT: master 01d2ffad

Diff Back to Repository
Author Committer Branch Timestamp Parent
dhx dhx master 2010-09-18 01:19 master 0f120c95
Affected Issues  0012368: Remove input side XSS validation of user real names
Changeset

Issue 0012368: Remove input side XSS validation of user real names

XSS issues should be handled on the output side of MantisBT rather than
on the input side. The user real name field was being validated on the
input side which is poor design due to the many number of ways in which
a user real name could change (SOAP API, XML import, web interface,
external scripts, plugins, etc). Furthermore different output interfaces
(XML, CSS, XHTML, etc) require different sanitisation and escaping
methods.

Thus we should remove the input side XSS validation of the user real
name field so that we allow ANY characters to be used in this field
(except 0x00 of course). Our existing output layers already handle XSS
sanitisation of variables such as the real name field.
mod - manage_user_create.php Diff File
mod - manage_user_update.php Diff File
mod - core/user_api.php Diff File
mod - core/custom_field_api.php Diff File
mod - account_update.php Diff File
mod - core/string_api.php Diff File