Headline
CVE-2021-46251: SECURITY: Escape username in invalid username error · ScratchVerifier/ScratchOAuth2@1603f04
A reflected cross-site scripting (XSS) in ScratchOAuth2 before commit 1603f04e44ef67dde6ccffe866d2dca16defb293 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.
Permalink
Browse files
SECURITY: Escape username in invalid username error
POST request with invalid usernames to SpecialScratchOAuth2 page in ScratchOAuth2 may lead to reflected cross-site scripting.
- Loading branch information
1 parent d856dc7 commit 1603f04e44ef67dde6ccffe866d2dca16defb293
Showing with 1 addition and 1 deletion.
- +1 −1 includes/special/SpecialScratchOAuth2.php
@@ -69,7 +69,7 @@ public function specialLogin( $error = null ) {
$username = $request->getVal( 'username’, '’, );
if (!preg_match(SOA2_USERNAME_REGEX, $username)) {
$this->specialLogin(
wfMessage('soa2-invalid-username’, $username)->plain()
wfMessage(‘soa2-invalid-username’)->plaintextParams($username)->parse()
);
return;
}
0 comments on commit 1603f04
Please sign in to comment.