From f810416ffdec2911166c352b93b3b73d7a679d93 Mon Sep 17 00:00:00 2001 From: dmjohnsson23 Date: Tue, 21 May 2024 13:47:10 -0600 Subject: [PATCH] Fix username bug on groups.php If a username has a special character (such as a period, which is common in usernames), it is not possible to edit a group containing that user. This patch fixes that. Now, the username can safely contain anything but a double quote. For true safety, it may also be beneficial to backslash-escape any double quotes as well, but I don't think that should be strictly required as usernames probably shouldn't contain double quotes anyway, and I don't think the bug is exploitable for XSS in this particular context either. --- groups.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/groups.php b/groups.php index a480fabfd..cb731149e 100644 --- a/groups.php +++ b/groups.php @@ -266,7 +266,7 @@ function edit_group(id) { $('#editName').prop("value", group['name']); for (var i = 0; i < cnt; i++) { console.log('Selected user: ' + selectedUsers[i]); - $('#editUsers option[value=' + selectedUsers[i] + ']').attr('selected',true).change(); + $('#editUsers option[value="' + selectedUsers[i] + '"]').attr('selected',true).change(); } }