fix(profile): neutralize stored XSS in profile descriptions [#250] (#252)

This commit is contained in:
Ferywir
2026-06-22 15:31:20 +02:00
committed by GitHub
parent 4b208dbfd8
commit 9d2d7699a9
5 changed files with 36 additions and 7 deletions
+4 -2
View File
@@ -1309,8 +1309,10 @@ class MYSQLi_DB implements IDbConnection {
$gender = (int)$gender;
$location = mb_substr(trim($location), 0, 30, 'UTF-8');
$birthday = trim($birthday);
$desc1 = trim($desc1);
$desc2 = trim($desc2);
// Issue #250: cap profile descriptions (BBCode is rendered as HTML on
// display) so a single field cannot store an oversized payload.
$desc1 = mb_substr(trim($desc1), 0, 3000, 'UTF-8');
$desc2 = mb_substr(trim($desc2), 0, 3000, 'UTF-8');
$stmt = $this->dblink->prepare(
"UPDATE `".TB_PREFIX."users`
+5
View File
@@ -239,6 +239,11 @@ class Profile {
$database->setVillageName($varray[$i]['wref'], $newName);
}
// Invalidate the 30s session user-cache (see Session::PopulateVar) so the
// saved description/birthday/etc. show up immediately on the edit form and
// header, without waiting for the cache to expire (issue #250).
unset($_SESSION['cache_user_' . ($_SESSION['username'] ?? '')]);
header("Location: spieler.php?uid=" . $session->uid);
exit;
}