To reproduce: Create a new account or edit an existing one</li

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Left angle bracket "<" causes remaining characters of password to be omitted about syspass HOT 6 CLOSED

nuxsmin commented on May 14, 2024

Left angle bracket "<" causes remaining characters of password to be omitted

from syspass.

Comments (6)

nuxsmin commented on May 14, 2024

Hi!!

I've noticed that passwords were also "sanitized" for malicious code. It has been patched and will be available in short.

Thank you for the feedback

from syspass.

commented on May 14, 2024

Thanks,

This fixed most of the problem, the angle brackets are now being returned (I can see them in the page source) but they still do not show.

The problem seems to be that they're not escaped. I think I've fixed the problem but I don't know the software well enough to test thoroughly. Please see the diff below, this change seems to fix the problem completely.

diff --git a/ajax/ajax_viewpass.php b/ajax/ajax_viewpass.php
index 6a0c1e4..4277a96 100644
--- a/ajax/ajax_viewpass.php
+++ b/ajax/ajax_viewpass.php
@@ -94,10 +94,10 @@ if ($fullTxt) {
         </tr>
         <tr>
             <td><span class="altTxtBlue">' . _('Clave') . '</span></td>
-            <td>' . trim($accountClearPass) . '</td>
+            <td>' . htmlentities(trim($accountClearPass)) . '</td>
         </tr>
         </table>';
     echo '</div>';
 } else {
     echo trim($accountClearPass);
-}
\ No newline at end of file
+}

from syspass.

nuxsmin commented on May 14, 2024

Hi!!, I've already patched the stable release.

Thank you for your support!

from syspass.