Draft
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds HTML escaping using htmlspecialchars() to LDAP attribute values before they are output to prevent Cross-Site Scripting (XSS) vulnerabilities. The changes apply escaping to user data from LDAP sources (usernames, email addresses, names, organizations, etc.) across admin panels, user-facing pages, and email templates.
- Adds
htmlspecialchars()to LDAP-sourced values displayed in admin management pages - Applies HTML escaping to user data shown in email templates
- Refactors variable assignments to escape values before output
Reviewed changes
Copilot reviewed 23 out of 23 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| webroot/panel/pi.php | Adds HTML escaping to uid, name, and email fields displayed in PI request table |
| webroot/admin/user-mgmt.php | Applies escaping to user attributes (uid, gecos, org, mail, gid) in user management table |
| webroot/admin/pi-mgmt.php | Escapes user data in PI request and owner management tables |
| webroot/admin/ajax/get_group_members.php | Adds escaping to group member data displayed in tables and forms |
| resources/mail/user_sshkey.php | Escapes SSH key data in email template |
| resources/mail/user_loginshell.php | Escapes login shell value in email template |
| resources/mail/user_flag_removed_admin.php | Applies escaping to username in admin notification emails |
| resources/mail/user_flag_added_admin.php | Applies escaping to username in admin notification emails |
| resources/mail/user_flag_added.php | Escapes username and organization in user activation email |
| resources/mail/group_user_request_owner.php | Escapes group name and user details in owner notification email |
| resources/mail/group_user_request.php | Escapes group name in user confirmation email |
| resources/mail/group_user_removed_owner.php | Escapes group name and user details in owner notification email |
| resources/mail/group_user_removed.php | Escapes group name in user notification email |
| resources/mail/group_user_denied_owner.php | Escapes group name and user details in owner notification email |
| resources/mail/group_user_denied.php | Escapes group name in user notification email |
| resources/mail/group_user_added_owner.php | Escapes group name and user details in owner notification email |
| resources/mail/group_user_added.php | Escapes group name in user notification email |
| resources/mail/group_request_cancelled.php | Escapes uid in cancellation notification email |
| resources/mail/group_request_admin.php | Escapes user details in admin notification email |
| resources/mail/group_join_request_cancelled.php | Escapes uid in cancellation notification email |
| resources/mail/group_disband.php | Escapes group name in disband notification email |
| resources/mail/account_deletion_request_cancelled_admin.php | Escapes user details in admin notification email |
| resources/mail/account_deletion_request_admin.php | Escapes user details in admin notification email |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 25 out of 25 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
simonLeary42
force-pushed
the
ldap-xss
branch
from
3bc1d17 to
acb5a1f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is not really a concern because we trust the attribute values provided by incommon IDPs.