A collection of minor improvements. #36
Loading…
Reference in New Issue
No description provided.
Delete Branch "mia/cyberman:master"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Including rewrite of JS (latest standard)
Some important suggestions:
Hello,
Firstly, thanks for your contribution! There are quite a lot of changes so I'll go through them one by one:
login.tt
- good, thanks.records/add.tt
- these need to be accompanied by back-end code (e.g. validation rules to avoid an invalid zone). When I have time I'll implement this.Finally, this PR includes too many commits with nondescript messages for me to accept it as-is. I'm happy to clean up & remove the parts I don't want, you will of course receive credit for the changes you made.
Thanks again
albino
Yes, for security.
Yes, feel free to change the parts :)
By the way, I've found a bug which allows the attacker to input bogus email address.
Steps: (Firefox)
Result:
Expected:
Suggestion
What makes it more secure though?
Thanks v much, I'll get round to it
Yes, but when echoed back it is passed through
html_entity
, so there is no XSS vector.You cannot reliably and reasonably validate email-addresses with regex. The best way is to send a confirmation email, which we are doing already. If a user inputs an invalid address, the only result is the confirmation email failing to send and the account never being activated.
If you're using html_entity, it's okay.
But what about this? Attacker can use your registration form to send emails to multiple recipients.
victim1@mail;victim2@mail;...victim111111110@mail
Good find. Opened #38
Step 1:
From your project repository, check out a new branch and test the changes.Step 2:
Merge the changes and update on Gitea.