[pLog-svn] r795 - in plog/trunk/class: action/admin dao

oscar at devel.plogworld.net oscar at devel.plogworld.net
Sun Jan 23 13:30:56 GMT 2005 

Author: oscar
Date: 2005-01-23 13:30:56 +0000 (Sun, 23 Jan 2005)
New Revision: 795

Modified:
   plog/trunk/class/action/admin/adminadduseraction.class.php
   plog/trunk/class/dao/userinfo.class.php
Log:
html markup is not allowed anymore in user names, as this is a potential cross-site scripting vulnerability!

Modified: plog/trunk/class/action/admin/adminadduseraction.class.php
===================================================================
--- plog/trunk/class/action/admin/adminadduseraction.class.php	2005-01-23 13:22:38 UTC (rev 794)
+++ plog/trunk/class/action/admin/adminadduseraction.class.php	2005-01-23 13:30:56 UTC (rev 795)
@@ -94,7 +94,7 @@
 			$this->notifyEvent( EVENT_POST_USER_ADD, Array( "user" => &$user ));
 
             $this->_view = new AdminSiteUsersListView( $this->_blogInfo );
-            $this->_view->setSuccessMessage( $this->_locale->pr("user_added_ok", $this->_userName));
+            $this->_view->setSuccessMessage( $this->_locale->pr("user_added_ok", $user->getUsername()));
             $this->setCommonData();
 
             return true;

Modified: plog/trunk/class/dao/userinfo.class.php
===================================================================
--- plog/trunk/class/dao/userinfo.class.php	2005-01-23 13:22:38 UTC (rev 794)
+++ plog/trunk/class/dao/userinfo.class.php	2005-01-23 13:30:56 UTC (rev 795)
@@ -6,8 +6,8 @@
 
 	include_once( PLOG_CLASS_PATH."class/database/dbobject.class.php" );
     include_once( PLOG_CLASS_PATH."class/gallery/dao/galleryresource.class.php" );
+	include_once( PLOG_CLASS_PATH."class/data/textfilter.class.php" );
 
-
     /**
      * Represents a user in our application. Includes information such as the username,
      * password, email, etc.
@@ -31,7 +31,7 @@
 		{
 			$this->DbObject();
 
-			$this->_username = $username;
+			$this->setUsername( $username );
 			$this->_password = $password;
 			$this->_id = $id;
 			$this->_aboutmyself = $aboutMyself;
@@ -86,7 +86,7 @@
 
 		function setUsername( $newUsername )
 		{
-			$this->_username = $newUsername;
+			$this->_username = Textfilter::filterAllHTML( $newUsername );
 		}
 
 		function setPassword( $newPassword )

More information about the pLog-svn mailing list