[pLog-svn] username validator 1.2.7 issue
Jon Daley
plogworld at jon.limedaley.com
Thu Apr 10 11:57:12 EDT 2008
On Thu, 10 Apr 2008, Mark Wu wrote:
> Yes, we allowed these characters before ....
The funny thing is that the username validator has blocked them
for a pretty long time, but we just weren't using the username validator
in all situations.
> I don't think there available any good regexp for this.
> A better way is use stringvalidate to replased with it but filterd all HTML
> & javascript....
stringvalidate doesn't do anything, and probably should be
removed, so people don't have a false sense of security when validating
with it.
Why the issue came up was due a potential SQL exploit with one of
the non-default user providers.
http://bugs.lifetype.net/view.php?id=1465
More information about the pLog-svn
mailing list