From 453a161a78acf07926a9ad7a8afef7cb07b23e7b Mon Sep 17 00:00:00 2001
From: Paul Arthur <paul.arthur@flowerysong.com>
Date: Thu, 7 Feb 2013 16:34:21 -0500
Subject: Scrub user data in User->update()

Fixes another persistent XSS vulnerability.
---
 lib/class/user.class.php | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

(limited to 'lib/class')

diff --git a/lib/class/user.class.php b/lib/class/user.class.php
index edc711e9..56ed97bc 100644
--- a/lib/class/user.class.php
+++ b/lib/class/user.class.php
@@ -396,7 +396,6 @@ class User extends database_object {
      * good stuff
      */
     public function update($data) {
-
         if (empty($data['username'])) {
             Error::add('username', T_('Error Username Required'));
         }
@@ -409,14 +408,20 @@ class User extends database_object {
             return false;
         }
 
-        foreach ($data as $name=>$value) {
+        foreach ($data as $name => $value) {
+            if ($name == 'password1') {
+                $name = 'password';
+            }
+            else {
+                $value = scrub_in($value);
+            }
+
             switch ($name) {
-                case 'password1';
-                    $name = 'password';
+                case 'password';
                 case 'access':
                 case 'email':
                 case 'username':
-                case 'fullname';
+                case 'fullname':
                     if ($this->$name != $value) {
                         $function = 'update_' . $name;
                         $this->$function($value);
@@ -425,13 +430,11 @@ class User extends database_object {
                 default:
                     // Rien a faire
                 break;
-            } // end switch on field
-
-        } // end foreach
+            }
+        }
 
         return true;
-
-    } // update
+    }
 
     /**
      * update_username
-- 
cgit