[pLog-svn] r795 - in plog/trunk/class: action/admin dao
oscar at devel.plogworld.net
oscar at devel.plogworld.net
Sun Jan 23 13:30:56 GMT 2005
Author: oscar
Date: 2005-01-23 13:30:56 +0000 (Sun, 23 Jan 2005)
New Revision: 795
Modified:
plog/trunk/class/action/admin/adminadduseraction.class.php
plog/trunk/class/dao/userinfo.class.php
Log:
html markup is not allowed anymore in user names, as this is a potential cross-site scripting vulnerability!
Modified: plog/trunk/class/action/admin/adminadduseraction.class.php
===================================================================
--- plog/trunk/class/action/admin/adminadduseraction.class.php 2005-01-23 13:22:38 UTC (rev 794)
+++ plog/trunk/class/action/admin/adminadduseraction.class.php 2005-01-23 13:30:56 UTC (rev 795)
@@ -94,7 +94,7 @@
$this->notifyEvent( EVENT_POST_USER_ADD, Array( "user" => &$user ));
$this->_view = new AdminSiteUsersListView( $this->_blogInfo );
- $this->_view->setSuccessMessage( $this->_locale->pr("user_added_ok", $this->_userName));
+ $this->_view->setSuccessMessage( $this->_locale->pr("user_added_ok", $user->getUsername()));
$this->setCommonData();
return true;
Modified: plog/trunk/class/dao/userinfo.class.php
===================================================================
--- plog/trunk/class/dao/userinfo.class.php 2005-01-23 13:22:38 UTC (rev 794)
+++ plog/trunk/class/dao/userinfo.class.php 2005-01-23 13:30:56 UTC (rev 795)
@@ -6,8 +6,8 @@
include_once( PLOG_CLASS_PATH."class/database/dbobject.class.php" );
include_once( PLOG_CLASS_PATH."class/gallery/dao/galleryresource.class.php" );
+ include_once( PLOG_CLASS_PATH."class/data/textfilter.class.php" );
-
/**
* Represents a user in our application. Includes information such as the username,
* password, email, etc.
@@ -31,7 +31,7 @@
{
$this->DbObject();
- $this->_username = $username;
+ $this->setUsername( $username );
$this->_password = $password;
$this->_id = $id;
$this->_aboutmyself = $aboutMyself;
@@ -86,7 +86,7 @@
function setUsername( $newUsername )
{
- $this->_username = $newUsername;
+ $this->_username = Textfilter::filterAllHTML( $newUsername );
}
function setPassword( $newPassword )
More information about the pLog-svn
mailing list