b3rs3rk

What do you mean by dated 2015 and 2016? Like the postdate in the Database is 2015/2016?

http://stackoverflow.com/questions/7792038/how-to-properly-escape-password-field-on-html-form These folks are under the impression that htmlspecialchars() doesn't affect the password posting.

Well, the easy answer is to make sure all authentication attempts utilize htmlspecialchars(). The more difficult one is to change the way the password is received/hashed/stored because that will require...

Doing a var_dump of the password after it is checked on login doesn't show any URL encoding with that password. And I'm var_dumping the exact argument contents of what is...

I follow now. Double-checked the admin site code and we're not doing htmlspecialchars() there when we're creating users. I'd suggest a patch against dev with a PR to remove that...

Hmm, it looks like dee9ec21c5c80d8bf52c647380ed0b63027e7085 changed this to protect from XSS. ... But that doesn't make sense in the least. XSS prevention isn't done on input. It is done on...

Yeah, what they are saying is what I am saying. We should be ensuring all form entries in the Smarty templates are escaping their set values on display to the...

Ah, here is the answer. http://www.smarty.net/docs/en/variable.escape.html.tpl If we set this variable within Smarty it will automatically escape all variable assignment outputs. We could do this for all forms and be...

We do that in many places already. But with a template that includes form data, we should be escaping the entire template globally instead of wasting time escaping each one.

After trying it out, we have to individually escape them. Setting it globally meeses with some of the theme's formatting.