Changeset 17984


Ignore:
Timestamp:
09/18/12 14:09:45 (7 years ago)
Author:
plg
Message:

merge r17983 from branch 2.4 to trunk

bug 2750 fixed: HTML-sanitize $_POSTusername_or_email before display (both
username and email don't allow HTML tags...)

Original report by Stefan Schurtz via Secunia SVCRP

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/password.php

    r15578 r17984  
    325325  if (isset($_POST['username_or_email'])) 
    326326  { 
    327     $template->assign('username_or_email', stripslashes($_POST['username_or_email'])); 
     327    $template->assign('username_or_email', stripslashes(strip_tags($_POST['username_or_email']))); 
    328328  } 
    329329} 
Note: See TracChangeset for help on using the changeset viewer.