Comments (6)
Hi!!
I've noticed that passwords were also "sanitized" for malicious code. It has been patched and will be available in short.
Thank you for the feedback
from syspass.
Thanks,
This fixed most of the problem, the angle brackets are now being returned (I can see them in the page source) but they still do not show.
The problem seems to be that they're not escaped. I think I've fixed the problem but I don't know the software well enough to test thoroughly. Please see the diff below, this change seems to fix the problem completely.
diff --git a/ajax/ajax_viewpass.php b/ajax/ajax_viewpass.php
index 6a0c1e4..4277a96 100644
--- a/ajax/ajax_viewpass.php
+++ b/ajax/ajax_viewpass.php
@@ -94,10 +94,10 @@ if ($fullTxt) {
</tr>
<tr>
<td><span class="altTxtBlue">' . _('Clave') . '</span></td>
- <td>' . trim($accountClearPass) . '</td>
+ <td>' . htmlentities(trim($accountClearPass)) . '</td>
</tr>
</table>';
echo '</div>';
} else {
echo trim($accountClearPass);
-}
\ No newline at end of file
+}
from syspass.
Hi!!, I've already patched the stable release.
Thank you for your support!
from syspass.
Hi again,
I have the same issues even though I'm running the latest release.
"Pass<word" is shown as "Pass"
"Pass<<word" is shown as "Pass<"
And after verification, it does the same on http://demo.syspass.org/index.php
from syspass.
@Naelwan unfortunatelly a parameter in the ajax request was malformed...
Solved in last commit
from syspass.
Thank you !
from syspass.
Related Issues (20)
- Error accessing syspass API version 3.2 HOT 1
- Get Account's DirectLink in API call
- Event Log
- Debian 11 + php8 compatibility HOT 5
- Wrong characters in the url field of an account
- sysPass - Change the tab label in Firefox
- How to reset or retrieve the Master Password HOT 1
- Question: Developer activity? HOT 2
- Error 400 - Load Balance - AWS HOT 2
- Please Ignore, my mistake. (syntax error, unexpected '->' (T_OBJECT_OPERATOR), expecting ')')
- Problem with APP backup
- syntax error, unexpected '->' (T_OBJECT_OPERATOR), expecting ')' HOT 1
- syspass LDAP with Univention UCS - can't get it working - LDAP broken
- Seeing Empty Page while Setting Up on a Shared Hosting with subfolder HOT 1
- How to import syspass database into Vaultwarden HOT 1
- Error: syntax error, unexpected '->' (T_OBJECT_OPERATOR), expecting ')' HOT 3
- Clients see everyone in the permissions tab
- Migration from syspass v.2.1 to v.3.2.3 HOT 1
- Possible CVE HOT 6
- syntax error, unexpected '->' (T_OBJECT_OPERATOR), expecting ')' HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syspass.