Ticket #5679 (new Bugs)

Opened 1 year ago

Last modified 2 months ago

No escaping of HTML characters in voicemail module

Reported by: miken32 Assigned to:
Priority: major Milestone: 2.11
Component: Voicemail Version: 2.10-branch
Keywords: Cc:
Confirmation: Unreviewed Distro:
Backend Engine: All Distro Ver:
Backend Ver: SVN Revision (if applicable):

Description

Values retrieved from the external voicemail.conf file into the voicemail admin module are not sanitized with htmlspecialchars(). In addition to just plain not working if you happen to have a " in your settings, this allows injection of arbitrary HTML into the page.

Attachments

page.voicemail.php.diff (1.6 kB) - added by miken32 on 03/15/12 15:33:18.
diff against 2.9 release

Change History

03/15/12 15:33:18 changed by miken32

  • attachment page.voicemail.php.diff added.

diff against 2.9 release

03/11/13 17:30:51 changed by miken32

Just for the record, I'll say it again. In addition to just plain not working if you happen to have a " in your settings, this allows injection of arbitrary HTML into the page. All values output onto a web page must be escaped, just as values put into a database must be escaped.