Skip to content

Commit

Permalink
web: don't allow special chars in user names.
Browse files Browse the repository at this point in the history
Check this (and show appropriate message) in both account creation
and user name update
  • Loading branch information
davidpanderson committed Oct 11, 2024
1 parent dca4153 commit 3b1edd1
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 5 deletions.
4 changes: 2 additions & 2 deletions html/inc/user_util.inc
Original file line number Diff line number Diff line change
Expand Up @@ -86,8 +86,8 @@ function is_valid_user_name($name, &$reason) {
$reason = tra("user name must be nonempty");
return false;
}
if (sanitize_tags($name) !== $name) {
$reason = tra("user name may not contain HTML tags");
if (filter_var($name, FILTER_SANITIZE_SPECIAL_CHARS) !== $name) {
$reason = tra("user name may not contain special characters");
return false;
}
if (is_numeric($name)) {
Expand Down
7 changes: 4 additions & 3 deletions html/user/edit_user_info_action.php
Original file line number Diff line number Diff line change
Expand Up @@ -19,16 +19,17 @@
require_once("../inc/boinc_db.inc");
require_once("../inc/user.inc");
require_once("../inc/util.inc");
require_once("../inc/user_util.inc");
require_once("../inc/countries.inc");

check_get_args(array("tnow", "ttok"));

$user = get_logged_in_user();
check_tokens($user->authenticator);

$name = trim(post_str("user_name"));
if ($name != sanitize_tags($name)) {
error_page(tra("HTML tags are not allowed in your name."));
$name = post_str("user_name");
if (!is_valid_user_name($name, $reason)) {
error_page($reason);
}
if (strlen($name) == 0) {
error_page(tra("You must supply a name for your account."));
Expand Down

0 comments on commit 3b1edd1

Please sign in to comment.