From 4a074111b5bce126724bf06c9dc83880432e74c9 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Mon, 14 Sep 2020 20:53:00 +0300
Subject: [PATCH] user preferences: forbid < and > characters when changing
 passwords (were silently stripped on save because of clean())

---
 classes/pref/prefs.php | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php
index 475cd797f..b3341623c 100644
--- a/classes/pref/prefs.php
+++ b/classes/pref/prefs.php
@@ -125,8 +125,14 @@ class Pref_Prefs extends Handler_Protected {
 
 		$old_pw = clean($_POST["old_password"]);
 		$new_pw = clean($_POST["new_password"]);
+		$new_unclean_pw = $_POST["new_password"];
 		$con_pw = clean($_POST["confirm_password"]);
 
+		if ($new_unclean_pw != $new_pw) {
+			print "ERROR: ".format_error("New password contains disallowed characters.");
+			return;
+		}
+
 		if ($old_pw == $new_pw) {
 			print "ERROR: ".format_error("New password must be different from the old one.");
 			return;
@@ -380,12 +386,12 @@ class Pref_Prefs extends Handler_Protected {
 
 			print "<fieldset>";
 			print "<label>" . __("New password:") . "</label>";
-			print "<input dojoType='dijit.form.ValidationTextBox' type='password' required='1' name='new_password'>";
+			print "<input dojoType='dijit.form.ValidationTextBox' type='password' regexp='^[^<>]+' required='1' name='new_password'>";
 			print "</fieldset>";
 
 			print "<fieldset>";
 			print "<label>" . __("Confirm password:") . "</label>";
-			print "<input dojoType='dijit.form.ValidationTextBox' type='password' required='1' name='confirm_password'>";
+			print "<input dojoType='dijit.form.ValidationTextBox' type='password' regexp='^[^<>]+' required='1' name='confirm_password'>";
 			print "</fieldset>";
 
 			print_hidden("op", "pref-prefs");