Diaspora: Field Validation isn't proper

Created on 4 Sep 2019  路  3Comments  路  Source: diaspora/diaspora

POD Version: v0.7.10.0

Steps to reproduce:

  1. Login into the diaspora instance >> Profile >> Edit my profile >> My extended profile
  2. "Your bio", "Your location" & "Your gender" is accepting any character/symbol

Expected behavior:
Blacklisting is an approach which consists of checking the input data for malicious characters but
a more effective approach is whitelisting. Whitelisting consists of only allowing certain characters to be submitted.

Actual behavior:
Input Fields are accepting any character/symbol.

It exists here also:
https://xx.xxx.xx.xxx/stream
https://xx.xxx.xx.xxx/aspects
https://xx.xxx.xx.xxx/followed_tags
https://xx.xxx.xx.xxx/public
https://xx.xxx.xx.xxx/user/edit
https://xx.xxx.xx.xxx/contacts
https://xx.xxx.xx.xxx/admins/user_search

2019-09-04_10-53-59

picture GruLab

Most helpful comment

"Gender" Field can be a Drop-down.

No.

picture denschub on 5 Sep 2019
👍21

All 3 comments

"Gender" Field can be a Drop-down.

GruLab picture GruLab on 4 Sep 2019

If we render any field without proper XSS escaping or encoding somewhere, please open an issue about that. Otherwise these are intended to be entirely free-form.

jhass picture jhass on 4 Sep 2019
👍2

"Gender" Field can be a Drop-down.

No.

denschub picture denschub on 5 Sep 2019
👍21
Was this page helpful?
0 / 5 - 0 ratings

Related issues

001101 picture 001101  路  3Comments
goobertron picture goobertron  路  6Comments
SuperTux88 picture SuperTux88  路  6Comments
pravi picture pravi  路  5Comments
pravi picture pravi  路  4Comments