#30 template new_dn shouldn't be passed thru htmlspecialchars

0.9.0
closed
David Smith
None
9
2012-09-06
2003-09-15
Daniel Bell
No

See line 161 of
"templates/creation/new_address_template.php"

cn's spaces can be transformed by htmlspecialchars,
causing a failure when adding a new inetOrgPerson
record. Problem seems resolved by simply removing the
call to htmlspecialchars.

Not sure if this is true on all OS's, though I assume
it is. This problem is verified in FreeBSD 4.7 and 4.8.

Wonderful work! Thank you!
Contact virus@btsnyc.com for questions.
Daniel Bell

Discussion

  • David Smith
    David Smith
    2003-09-15

    Logged In: YES
    user_id=602471

    Thanks, will work on a fix ASAP.

     
  • David Smith
    David Smith
    2003-09-15

    Logged In: YES
    user_id=602471

    I cannot duplicate this bug on Debian unstable, with PHP
    4.3.1. If I were to remove that call to htmlspecialchars(),
    it would likely open a cross-site scripting vulnerability
    (not a huge concern for PLA, but still). Can you provide
    some test cases that fail on your setup?