user preferences: forbid < and > characters when changing passwords (were silently stripped on save because of clean())

master
Andrew Dolgov 4 years ago
parent da98ba662e
commit 4a074111b5

@ -125,8 +125,14 @@ class Pref_Prefs extends Handler_Protected {
$old_pw = clean($_POST["old_password"]);
$new_pw = clean($_POST["new_password"]);
$new_unclean_pw = $_POST["new_password"];
$con_pw = clean($_POST["confirm_password"]);
if ($new_unclean_pw != $new_pw) {
print "ERROR: ".format_error("New password contains disallowed characters.");
return;
}
if ($old_pw == $new_pw) {
print "ERROR: ".format_error("New password must be different from the old one.");
return;
@ -380,12 +386,12 @@ class Pref_Prefs extends Handler_Protected {
print "<fieldset>";
print "<label>" . __("New password:") . "</label>";
print "<input dojoType='dijit.form.ValidationTextBox' type='password' required='1' name='new_password'>";
print "<input dojoType='dijit.form.ValidationTextBox' type='password' regexp='^[^<>]+' required='1' name='new_password'>";
print "</fieldset>";
print "<fieldset>";
print "<label>" . __("Confirm password:") . "</label>";
print "<input dojoType='dijit.form.ValidationTextBox' type='password' required='1' name='confirm_password'>";
print "<input dojoType='dijit.form.ValidationTextBox' type='password' regexp='^[^<>]+' required='1' name='confirm_password'>";
print "</fieldset>";
print_hidden("op", "pref-prefs");

Loading…
Cancel
Save