Fix html injection in user fields (#10535)

validate realname and descr to alpha/numeric/spaces only
This flaw is actually in bootgrid, the html isn't interpreted until bootgrid loads.
This commit is contained in:
Tony Murray
2019-08-21 20:36:22 -05:00
committed by GitHub
parent a1c8fe63ee
commit 2441096015
4 changed files with 9 additions and 4 deletions
+2 -2
View File
@@ -34,9 +34,9 @@ class StoreUserRequest extends FormRequest
'max:255',
Rule::unique('users', 'username')->where('auth_type', LegacyAuth::getType()),
],
'realname' => 'max:64',
'realname' => 'nullable|max:64|alpha_space',
'email' => 'nullable|email|max:64',
'descr' => 'max:30',
'descr' => 'nullable|max:30|alpha_space',
'level' => 'int',
'new_password' => 'required|confirmed|min:' . Config::get('password.min_length', 8),
'dashboard' => 'int',