View ProjeQtOr On SourceForge.net
ProjeQtOr - Project Management Tool
Support us on Capterra
OIN - Open Invention Network
ProjeQtOr free project management software - Filters interpreting Html code - ProjeQtOr
 
 

Filters interpreting Html code

More
11 Oct 2013 14:23 #1 by caccia
Filters interpreting Html code was created by caccia
Hello,

Someone in my organization who uses Projector'RIA has noticed that there might be a vulnerability in the Advanced Filters:
it seems that HTML code can be entered into a filter, and it will be interpreted - meaning that possibly, someone could execute HTML code through the Advanced Filter functionality.

Not sure if there are other mechanisms which would prevent any harm being done, but the risk here would be that an "external project leader" for example could use this to access data he normally would not be allowed to see.

So maybe something to check? Apparently the PHP function "htmlentities" could be used to prevent interpretation of Html code.

Screenshot here shows that html tags (bold, underline) are interpreted.
Attachments:

Please Log in or Create an account to join the conversation.

More
11 Oct 2013 17:04 #2 by babynus
Replied by babynus on topic Filters interpreting Html code
Hi,

Thanks for reporting this issue.
(of course htmlentities does the job, and tool framework also includes more specific html functions to protect data...)

Ticket #1200 recorded. Fix will be included in next version.
Babynus
Administrator of ProjeQtOr web site

Please Log in or Create an account to join the conversation.

Moderators: babynusprotion
Time to create page: 0.042 seconds

Cookies settings

×

Functional Cookies

Ce site utilise des cookies pour assurer son bon fonctionnement et ne peuvent pas être désactivés de nos systèmes. Nous ne les utilisons pas à des fins publicitaires. Si ces cookies sont bloqués, certaines parties du site ne pourront pas fonctionner.

Session

Please login to see yours activities!

Other cookies

Ce site web utilise un certain nombre de cookies pour gérer, par exemple, les sessions utilisateurs.

Login Form