Fix loophole for duplicate nickname using invisible Unicode characters

cf. xpressengine/xe-core#2025
2026-01-08 03:01:43 +09:00 · 2017-02-10 22:01:10 +09:00 · 2017-02-10 22:01:10 +09:00 · 07da55ba8e
commit 07da55ba8e
parent 99cb67b5db
2 changed files with 2 additions and 2 deletions
--- a/modules/member/member.admin.controller.php
+++ b/modules/member/member.admin.controller.php
@ -95,7 +95,7 @@ class memberAdminController extends member
 		{
 			if(isset($args->{$val}))
 			{
-				$args->{$val} = preg_replace('/[\pZ\pC]+/u', '', $args->{$val});
+				$args->{$val} = preg_replace('/[\pZ\pC]+/u', '', html_entity_decode($args->{$val}));
 			}
 		}

--- a/modules/member/member.controller.php
+++ b/modules/member/member.controller.php
@ -417,7 +417,7 @@ class memberController extends member
 		{
 			if(isset($args->{$val}))
 			{
-				$args->{$val} = preg_replace('/[\pZ\pC]+/u', '', $args->{$val});
+				$args->{$val} = preg_replace('/[\pZ\pC]+/u', '', html_entity_decode($args->{$val}));
 			}
 		}
 		$output = $this->insertMember($args);