valvin
/
ttrss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

user preferences: forbid < and > characters when changing passwords (were silently stripped on save because of clean())

This commit is contained in:
Andrew Dolgov 2020-09-14 20:53:00 +03:00
parent da98ba662e
commit 4a074111b5
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
classes/pref/prefs.php
View File

@ -125,8 +125,14 @@ class Pref_Prefs extends Handler_Protected {
$old_pw = clean($_POST["old_password"]); $old_pw = clean($_POST["old_password"]);
$new_pw = clean($_POST["new_password"]); $new_pw = clean($_POST["new_password"]);
$new_unclean_pw = $_POST["new_password"];
$con_pw = clean($_POST["confirm_password"]); $con_pw = clean($_POST["confirm_password"]);
if ($new_unclean_pw != $new_pw) {
print "ERROR: ".format_error("New password contains disallowed characters.");
return;
}
if ($old_pw == $new_pw) { if ($old_pw == $new_pw) {
print "ERROR: ".format_error("New password must be different from the old one."); print "ERROR: ".format_error("New password must be different from the old one.");
return; return;
@ -380,12 +386,12 @@ class Pref_Prefs extends Handler_Protected {
print "<fieldset>"; print "<fieldset>";
print "<label>" . __("New password:") . "</label>"; print "<label>" . __("New password:") . "</label>";
print "<input dojoType='dijit.form.ValidationTextBox' type='password' required='1' name='new_password'>"; print "<input dojoType='dijit.form.ValidationTextBox' type='password' regexp='^[^<>]+' required='1' name='new_password'>";
print "</fieldset>"; print "</fieldset>";
print "<fieldset>"; print "<fieldset>";
print "<label>" . __("Confirm password:") . "</label>"; print "<label>" . __("Confirm password:") . "</label>";
print "<input dojoType='dijit.form.ValidationTextBox' type='password' required='1' name='confirm_password'>"; print "<input dojoType='dijit.form.ValidationTextBox' type='password' regexp='^[^<>]+' required='1' name='confirm_password'>";
print "</fieldset>"; print "</fieldset>";
print_hidden("op", "pref-prefs"); print_hidden("op", "pref-prefs");