From: Tim Düsterhus <duesterhus@woltlab.com>
Date: Mon, 16 Jan 2023 13:40:29 +0000 (+0100)
Subject: Fix XSS vulnerability in registerActivation.tpl
X-Git-Tag: 5.3.26~1^2~1
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=dcf18656ba99b5f8f91312f460407e32d11c40b0;p=GitHub%2FWoltLab%2FWCF.git

Fix XSS vulnerability in registerActivation.tpl

This was introduced in a477e3522933a7204b02013cd6b6d47d0db1d254 when the
activation logic was refactored to no longer use numeric-only activation codes.

Thanks to Chabik Hatim for responsibly reporting the vulnerability.
---

diff --git a/com.woltlab.wcf/templates/registerActivation.tpl b/com.woltlab.wcf/templates/registerActivation.tpl
index f135cf4607..24d97fe46c 100644
--- a/com.woltlab.wcf/templates/registerActivation.tpl
+++ b/com.woltlab.wcf/templates/registerActivation.tpl
@@ -25,7 +25,7 @@
 		<dl{if $errorField == 'activationCode'} class="formError"{/if}>
 			<dt><label for="activationCode">{lang}wcf.user.activationCode{/lang}</label></dt>
 			<dd>
-				<input type="text" id="activationCode" maxlength="40" name="activationCode" value="{@$activationCode}" required class="medium">
+				<input type="text" id="activationCode" maxlength="40" name="activationCode" value="{$activationCode}" required class="medium">
 				{if $errorField == 'activationCode'}
 					<small class="innerError">
 						{if $errorType == 'empty'}