WordPress.org

Ready to get started?Download WordPress

Forums

Sign-up Sheets
[resolved] Security (JS/SQL Injection) (4 posts)

  1. chuckjaynes
    Member
    Posted 1 year ago #

    It seems that therer isn't any sanitizing of the input fields. For example, entering a first name of <script>alert('hello')</script> is accepted. Then when I view the sign up sheets, I get a nice "hello" popup.

    In short, JavaScript and SQL injection attacks are possible.

    Adding a strip_tags and/or htmlspecialchars in function clean_array might be a simple fix to this problem.

    http://wordpress.org/extend/plugins/sign-up-sheets/

  2. Andrew Tegenkamp
    Member
    Posted 1 year ago #

    Good catch. I'm not the developer but am checking this out for use and do some WP plugin development. If you get to writing your own plugins or are the developer of his plugin reading this, WordPress has built this and other stuff in with a sanitize_text_field funtion.

    RE: http://codex.wordpress.org/Function_Reference/sanitize_text_field talks about it and lists related functions for specific fields like email, etc.

    HTH,
    Andrew

  3. DLS Software Studios
    Member
    Plugin Author

    Posted 1 year ago #

    Thank you for alerting us of this issue. We will have it corrected with the next version and should be releasing it shortly.

  4. DLS Software Studios
    Member
    Plugin Author

    Posted 1 year ago #

    With the latest version 1.0.6 of the Sign-up Sheets plugin, the sign up form fields are now protected against cross site scripting. Please note that SQL Injection was not an issue as all database inserts and updates are properly sanitized.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic