Skip to content

Commit

Permalink
Fix username bug on groups.php
Browse files Browse the repository at this point in the history
If a username has a special character (such as a period, which is common in usernames), it is not possible to edit a group containing that user. This patch fixes that. Now, the username can safely contain anything but a double quote.

For true safety, it may also be beneficial to backslash-escape any double quotes as well, but I don't think that should be strictly required as usernames probably shouldn't contain double quotes anyway, and I don't think the bug is exploitable for XSS in this particular context either.
  • Loading branch information
dmjohnsson23 authored May 21, 2024
1 parent d1eca7b commit f810416
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion groups.php
Original file line number Diff line number Diff line change
Expand Up @@ -266,7 +266,7 @@ function edit_group(id) {
$('#editName').prop("value", group['name']);
for (var i = 0; i < cnt; i++) {
console.log('Selected user: ' + selectedUsers[i]);
$('#editUsers option[value=' + selectedUsers[i] + ']').attr('selected',true).change();
$('#editUsers option[value="' + selectedUsers[i] + '"]').attr('selected',true).change();
}

}
Expand Down

0 comments on commit f810416

Please sign in to comment.