Closed mdthh closed 12 months ago
Thanks @mdthh.
Your welcome. But will you implement my proposal?
We can but what was the issue that you were encounting? Or what is just preventive?
Are you looking for an update soon?
"Just" preventive. To avoid XSS-attacks, since username can contain HTML-Code. An update would be appreciated, but pls.: no pressure. I realize and appreciate that this is an OS project. 🙏
@mdthh, then, to be consistent, we would also need to filter html code in the user registration form to remove the issue at the source.
But I can do a small maintenance release for the index.phtml for now. Changing the use form is not complicated but it is a change in expected behavior. I am not sure how many people would want to be able to have HTML code in the user name but this is the kind of changes where we need to warn developers of a possible break in functionality.
then, to be consistent, we would also need to filter html code in the user registration form to remove the issue at the source.
Good idea! But I feel it's a bad idea to allow HTML in user name. Should be a no-go, IMO. "Laravel Breeze", just to compare, also strictly escapes HTML in user names.
Agreed. Any text data that is entered in a form to be later displayed in HTML should be cleaned up of any HTML scripting.
As we are thinking of the next major release, we should add this cosideration to the bucket list.
Next major release? Sounds exciting! Pls. feel free to contact me if I can assist! My E-Mail: mdthh@trippo.org
Next major release? Sounds exciting! Pls. feel free to contact me if I can assist! My E-Mail: mdthh@trippo.org
We will.
Escape HTML for user name