Support » Plugin: Clean Login » Shocking code problem wrecks other areas of site; please fix!

  • Resolved frame25

    (@frame25)


    My WordPress site has a forum installed, and after updating to Clean Login 1.8, I discovered that all my forum edits were being garbled due to HTML characters getting converted to htmlspecialchars before being saved to the database. I thought it was a forum bug, but it turns out the problem was Clean Login.

    That’s right, Clean Login tampers with all POST data.

    This is shocking and needs to be fixed immediately. EVERY SINGLE “$_POST” variable is being run through your sanitization routine and altered!

    It’s utterly jaw-dropping and unacceptable. It ruins one of my favorite plugins for clients. You need to sanitize ONLY the fields you are using. What on earth were you thinking???? Please change this immediately!

    Here are the lines of code where this happens in clean-login.php. On line 233:
    $_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_FULL_SPECIAL_CHARS );
    And again, the same line on line 829.

    You do NOT rewrite the $_POST superglobal. That’s totally crazy.

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Shocking code problem wrecks other areas of site; please fix!’ is closed to new replies.