diff options
author | Andrew Dolgov <[email protected]> | 2020-09-14 20:53:00 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2020-09-14 20:53:00 +0300 |
commit | 4a074111b5bce126724bf06c9dc83880432e74c9 (patch) | |
tree | ab5d77622c779e590634a79b727b2b3b42f3d60e /classes/pref | |
parent | da98ba662ea2af58c27eadecf444537ea07a04c7 (diff) |
user preferences: forbid < and > characters when changing passwords (were silently stripped on save because of clean())
Diffstat (limited to 'classes/pref')
-rw-r--r-- | classes/pref/prefs.php | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php index 475cd797f..b3341623c 100644 --- a/classes/pref/prefs.php +++ b/classes/pref/prefs.php @@ -125,8 +125,14 @@ class Pref_Prefs extends Handler_Protected { $old_pw = clean($_POST["old_password"]); $new_pw = clean($_POST["new_password"]); + $new_unclean_pw = $_POST["new_password"]; $con_pw = clean($_POST["confirm_password"]); + if ($new_unclean_pw != $new_pw) { + print "ERROR: ".format_error("New password contains disallowed characters."); + return; + } + if ($old_pw == $new_pw) { print "ERROR: ".format_error("New password must be different from the old one."); return; @@ -380,12 +386,12 @@ class Pref_Prefs extends Handler_Protected { print "<fieldset>"; print "<label>" . __("New password:") . "</label>"; - print "<input dojoType='dijit.form.ValidationTextBox' type='password' required='1' name='new_password'>"; + print "<input dojoType='dijit.form.ValidationTextBox' type='password' regexp='^[^<>]+' required='1' name='new_password'>"; print "</fieldset>"; print "<fieldset>"; print "<label>" . __("Confirm password:") . "</label>"; - print "<input dojoType='dijit.form.ValidationTextBox' type='password' required='1' name='confirm_password'>"; + print "<input dojoType='dijit.form.ValidationTextBox' type='password' regexp='^[^<>]+' required='1' name='confirm_password'>"; print "</fieldset>"; print_hidden("op", "pref-prefs"); |