[security:medium] XSS on register form
In register form, we do not check XSS attack before registering data into session:
# Use submitted value
$req->data->{registerInfo}->{mail} = $req->param('mail');
$req->data->{registerInfo}->{firstname} = $req->param('firstname');
$req->data->{registerInfo}->{lastname} = $req->param('lastname');
$req->data->{registerInfo}->{ipAddr} = $req->address;
This allow to inject HTML code in form that will be displayed in mail for the end user, and can lead to malicious information (redirection on a hacker's site).
We should check for XSS before registering data, for example:
# Check input
if ( $self->p->checkXSSAttack('mail', $req->param('mail') ) or $self->p->checkXSSAttack('firstname', $req->param('firstname') ) or $self->p->checkXSSAttack('lastname', $req->param('lastname') ) ) {
$self->logger->error("XSS on Register form");
return PE_MALFORMEDUSER;
}
# Use submitted value
$req->data->{registerInfo}->{mail} = $req->param('mail');
$req->data->{registerInfo}->{firstname} = $req->param('firstname');
$req->data->{registerInfo}->{lastname} = $req->param('lastname');
$req->data->{registerInfo}->{ipAddr} = $req->address;
A review on all public form should be done to check we have on other issues.