Vanilla: XSS hole in account page

1 to 2 of 2

Aug 8th 2008

Possible Security Flaw (comment # 4)

It could only affect admins visiting personalisation account page of other users.

Aug 8th 2008 edited

Here is the fix:

Index: src/library/Vanilla/Vanilla.Control.IdentityForm.php
===================================================================
--- src/library/Vanilla/Vanilla.Control.IdentityForm.php	(revision 711)
+++ src/library/Vanilla/Vanilla.Control.IdentityForm.php	(working copy)
@@ -23,7 +23,13 @@
  * @package Vanilla
  */
 class IdentityForm extends PostBackControl {
+	/**
+	 * @var UserManager
+	 */
 	var $UserManager;
+	/**
+	 * @var User
+	 */
 	var $User;
 
 	function IdentityForm (&$Context, &$UserManager, &$User) {
@@ -53,6 +59,7 @@
 
 	function Render() {
 		if ($this->IsPostBack) {
+			$this->User->FormatPropertiesForDisplay();
 			$this->CallDelegate('PreRender');
 			include(ThemeFilePath($this->Context->Configuration, 'account_identity_form.php'));
 			$this->CallDelegate('PostRender');

Vanilla r712

1 to 2 of 2

Issue information

Vanilla 1.1.5 is a product of Lussumo. More Information: Documentation, Community Support.

Lussumo Bug Tracker

Vanilla: XSS hole in account page

Issue information

Dinoboff