Ian Maclennan
unread,Mar 11, 2008, 9:17:28 PM3/11/08Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Joomla! Devel Documentation
Hey...
I've attached a patch that I am proposing. I wanted to bring it here
because it is a potentially very high impact patch.
The patch does two things:
1. In two files (administrator/components/com_users/views/user/tmpl/
form.php and libraries/joomla/database/table/user/php) it makes a
minor modification to the regular expression so that it allows the
minus and plus characters in user names. This is necessary to allow
for domain names that have hypens, and the potential that some openid
hosts will allow plus signs. Since the username is just a string, I
can't foresee problems with allowing + and - signs in the username.
2. The third file that is touched is the validate.js file. I modified
this file so that it would use the same regex that is used in the
other two places (var r = new RegExp("[\<|\>|\"|\'|\%|\;|\(|\)|\&]",
"i");) It previously used a positive checking regex, and so the
change will mean that it will look for nasty characters in the
username instead of verifying only good characters. This will bring
the javascript library in line with what is used in the PHP and will
give us consistency between the frontend and backend.
So please review the attached patch and offer any comments,
suggestions or thoughts.
Ian
Index: administrator/components/com_users/views/user/tmpl/form.php
===================================================================
--- administrator/components/com_users/views/user/tmpl/form.php
(revision 10127)
+++ administrator/components/com_users/views/user/tmpl/form.php
(working copy)
@@ -36,7 +36,7 @@
submitform( pressbutton );
return;
}
- var r = new RegExp("[\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-]", "i");
+ var r = new RegExp("[\<|\>|\"|\'|\%|\;|\(|\)|\&]", "i");
// do field validation
if (trim(form.name.value) == "") {
@@ -298,4 +298,4 @@
<input type="hidden" name="sendEmail" value="0" />
<?php } ?>
<?php echo JHTML::_( 'form.token' ); ?>
-</form>
\ No newline at end of file
+</form>
Index: libraries/joomla/database/table/user.php
===================================================================
--- libraries/joomla/database/table/user.php (revision 10127)
+++ libraries/joomla/database/table/user.php (working copy)
@@ -149,7 +149,7 @@
}
- if (eregi( "[\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-]", $this->username)
|| strlen(utf8_decode($this->username )) < 2) {
+ if (eregi( "[\<|\>|\"|\'|\%|\;|\(|\)|\&]", $this->username) ||
strlen(utf8_decode($this->username )) < 2) {
$this->setError( JText::sprintf( 'VALID_AZ09',
JText::_( 'Username' ), 2 ) );
return false;
}
Index: media/system/js/validate.js
===================================================================
--- media/system/js/validate.js (revision 10127)
+++ media/system/js/validate.js (working copy)
@@ -30,8 +30,9 @@
// Default handlers
this.setHandler('username',
function (value) {
- regex=/^[a-zA-Z](([\.\-a-zA-Z0-9@])?[a-zA-Z0-9]*)*$/;
- return regex.test(value);
+ //regex=/^[a-zA-Z](([\.\-a-zA-Z0-9@])?[a-zA-Z0-9]*)*$/;
+ regex = new RegExp("[\<|\>|\"|\'|\%|\;|\(|\)|\&]", "i");
+ return !regex.test(value);
}
);
@@ -164,4 +165,4 @@
document.formvalidator = null;
Window.onDomReady(function(){
document.formvalidator = new JFormValidator();
-});
\ No newline at end of file
+});