Notice

The forum is in read only mode.

Support Forum

Welcome! Support Forums have been reactivated
Welcome the Technical Support section. Help us in assisting you by providing us with a concise and descriptive elaboration of your issues. Be specific and if possible, provide us with a step-by-step instruction in replicating your problem.

no santization on private messages

8 years 2 months ago
  • Tom's Avatar
    Topic Author
  • Tom
  • Offline
  • Fresh Boarder
  • Thank you received: 0
Licenses:
JomSocial Active

ISSUE SUMMARY:

Input is not sanitized when sending private messages between users





STEPS TO REPLICATE:
1 Log in as any user
2 Compose and send private message containing script to any other user, including admins

RESULT

Log in as 2nd user, see script is executed

EXPECTED RESULT

Sanitized message

BROWSER

Tested on FF + Chrome

Attachments:
8 years 2 months ago
Licenses:

Hi,

its a bug. please wait for the fix.

Regards

8 years 2 months ago
Licenses:

Hi,

here the fix:
please edit /components/com_community/templates/jomsocial/layouts/inbox.message.php at line 36, change the code from

$content = filter_var( htmlspecialchars_decode($content), FILTER_UNSAFE_RAW );
to
$content = filter_var( htmlspecialchars_decode($content), FILTER_SANITIZE_STRING );

Regards

The following user(s) said Thank You: Tom
8 years 2 months ago
  • Tom's Avatar
    Topic Author
  • Tom
  • Offline
  • Fresh Boarder
  • Thank you received: 0
Licenses:
JomSocial Active

It works - the script tag is stripped out and nothing is executed.

Moderators: Piotr Garasiński
Powered by Kunena Forum

Join 180,000 websites creating Amazing communities

JomSocial is the most complete, easy-to-use addon that turns Joomla CMS into a
full -fledged, social networking site

TRY NOW BUY NOW

About Us

Our product

Support

Contact Us

Site Policies

Elsewhere

© JomSocial.com All Rights Reserved