web: don't allow special chars in user names.

Check this (and show appropriate message) in both account creation and user name update
BOINC · Oct 11, 2024 · 3b1edd1 · 3b1edd1
1 parent dca4153
commit 3b1edd1
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/html/inc/user_util.inc b/html/inc/user_util.inc
@@ -86,8 +86,8 @@ function is_valid_user_name($name, &$reason) {
         $reason = tra("user name must be nonempty");
         return false;
     }
-    if (sanitize_tags($name) !== $name) {
-        $reason = tra("user name may not contain HTML tags");
+    if (filter_var($name, FILTER_SANITIZE_SPECIAL_CHARS) !== $name) {
+        $reason = tra("user name may not contain special characters");
         return false;
     }
     if (is_numeric($name)) {

diff --git a/html/user/edit_user_info_action.php b/html/user/edit_user_info_action.php
@@ -19,16 +19,17 @@
 require_once("../inc/boinc_db.inc");
 require_once("../inc/user.inc");
 require_once("../inc/util.inc");
+require_once("../inc/user_util.inc");
 require_once("../inc/countries.inc");
 
 check_get_args(array("tnow", "ttok"));
 
 $user = get_logged_in_user();
 check_tokens($user->authenticator);
 
-$name = trim(post_str("user_name"));
-if ($name != sanitize_tags($name)) {
-    error_page(tra("HTML tags are not allowed in your name."));
+$name = post_str("user_name");
+if (!is_valid_user_name($name, $reason)) {
+    error_page($reason);
 }
 if (strlen($name) == 0) {
     error_page(tra("You must supply a name for your account."));