RanchiMall/php-mpos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixing XSS for user registration

Browse Source
This commit is contained in:
Sebastian Grewe 2013-07-11 15:49:08 +02:00
parent ed573e6e46
commit 5b50422675
3 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
public/include/classes/user.class.php
View File

@ -442,6 +442,10 @@ class User {
**/
public function register($username, $password1, $password2, $pin, $email1='', $email2='') {
$this->debug->append("STA " . __METHOD__, 4);
if (strlen($username > 40)) {
$this->setErrorMessage('Username exceeding character limit');
return false;
}
if ($this->getEmail($email1)) {
$this->setErrorMessage( 'This e-mail address is already taken' );
return false;
@ -482,8 +486,9 @@ class User {
$password_hash = $this->getHash($password1);
$pin_hash = $this->getHash($pin);
$apikey_hash = $this->getHash($username);
$username_clean = strip_tags($username);
if ($this->checkStmt($stmt) && $stmt->bind_param('sssss', $username, $password_hash, $email1, $pin_hash, $apikey_hash)) {
if ($this->checkStmt($stmt) && $stmt->bind_param('sssss', $username_clean, $password_hash, $email1, $pin_hash, $apikey_hash)) {
if (!$stmt->execute()) {
$this->setErrorMessage( 'Unable to register' );
if ($stmt->sqlstate == '23000') $this->setErrorMessage( 'Username or email already registered' );

4
public/templates/mmcFE/admin/user/default.tpl
View File

@ -48,8 +48,8 @@
{section name=user loop=$USERS|default}
<tr>
<td class="center">{$USERS[user].id}</td>
<td>{$USERS[user].username}</td>
<td>{$USERS[user].email}</td>
<td>{$USERS[user].username|escape}</td>
<td>{$USERS[user].email|escape}</td>
<td class="right">{$USERS[user].shares}</td>
<td class="right">{$USERS[user].hashrate}</td>
<td class="right">{$USERS[user].payout.est_donation|number_format:"8"}</td>

2
public/templates/mmcFE/global/userinfo.tpl
View File

@ -1,5 +1,5 @@
{if $GLOBAL.userdata.username|default}
<h2>Welcome, {$smarty.session.USERDATA.username} <font size='1px'><b>Active Account</b>: <b>{$GLOBAL.fees}%</b> Pool Fee</font> <font size='1px'><i>(You are <a href='{$smarty.server.PHP_SELF}?page=account&action=edit'>donating</a> <b></i>{$GLOBAL.userdata.donate_percent}%</b> <i>of your earnings)</i></font></h2>
<h2>Welcome, {$smarty.session.USERDATA.username|escape} <font size='1px'><b>Active Account</b>: <b>{$GLOBAL.fees|escape}%</b> Pool Fee</font> <font size='1px'><i>(You are <a href='{$smarty.server.PHP_SELF}?page=account&action=edit'>donating</a> <b></i>{$GLOBAL.userdata.donate_percent|escape}%</b> <i>of your earnings)</i></font></h2>
{else}
<h2>Welcome guest, <font size="1px"> please <a href="{$smarty.server.PHP_SELF}?page=register">register</a> to user this pool.</font></h2>
{/if}