You are here: Foswiki>Tasks Web>Item13739 (10 Oct 2015, GeorgeClark)Edit Attach

Item13739: LoginName is not validated and presents XSS path.

Priority: Security
Current State: Closed
Released In: 2.0.2
Target Release: patch
Applies To: Engine
Component: LoginManager
Branches: master
Reported By: GeorgeClark
Waiting For:
Last Change By: GeorgeClark
This tasks addressed validation or encoding of the parameters used during registration and login.

  • Registration parameters are now all entity encoded. Previously there was some encoding done, but it was insufficient to block all XSS paths.
  • The xss path during login was in the generation of an error message. That path is now blocked.

No further administrator action is needed.
Topic revision: r8 - 10 Oct 2015, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy