Kit::ValidateParam fails on passwords containing ampersands
Bug #587947 reported by
Micah Tomblin
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Xibo |
Fix Released
|
Low
|
Alex Harrington |
Bug Description
It appears that we're currently running htmlentities() on _PASSWORD types in Kit::ValidatePa
Related branches
lp:~alexharrington/xibo/587947
(Merged)
Changed in xibo: | |
assignee: | nobody → Alex Harrington (alexharrington) |
Changed in xibo: | |
status: | Confirmed → Fix Committed |
Changed in xibo: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Perhaps need to move to just using sprintf combined with mysql_real_ escape_ string( ). eg: http:// www.bitreposito ry.com/ sanitize- data-to- prevent- sql-injection- attacks. html
Presumably $db->escape_ string( ) is equivalent to mysql_real_ escape_ string( ) so perhaps all that's required is dropping the htmlentities() command?
I've taken a quick look through the installer/upgrader code and I don't think it would care if that happened.
A