#99 Huge XSS vulnerability in myUPB v2.2.7
RemoveXSS() function has been broken in 2.2.7 because it was "preventing xajax from functioning properly", so there is almost no protection against XSS. And even when it was working it was bad idea because you cannot expect to blacklist all on events and potentially harmful tags (HTML5 is still a moving target, new tags/events could still be added) and some other less evil tags could still be used to deface your forum (for example comment tag <!--). This problem affects most profile fields (location, avatar, MSN...), BB-code system, private messages, search page, login page, lost password page.
Possible solution would be to make RemoveXSS() insert <x> again, but that would probably break xajax again and would not prevent everything. So instead it would be better to use xml_clean() function (includes/inc/func.inc.php) on input that needs filtering. There was also a small bug in this function, “\’” was being replaced with “'”, but actually it should have been just “‘“.
I have made a patch:
Fixed files: http://maesalu.com/myupb/myUPB_227_fixed.zip
And line by line changes: http://maesalu.com/myupb/myUPB_227_fixes.txt
I do not have write access to Git repository, so I cannot commit these changes myself, hopefully someone else can do it so this problem can be fixed in next release.</x>
Line by line changes
Fixed files