Login with '&' in password again not working after update

[WillemDH]

Hello,

Seems we had again the same issue as descrived here. Some users with & in their password can't login.

https://support.nagios.com/forum/viewto ... t=password

After setting

Code: Select all

$config['global_xss_filtering'] = FALSE;

It works again. Is there any chance '&' will be allowed by default in further updates, so I won't have to manually reconfigure it?

Grtz

Willem

[jomann]

We can definitely add this as a bug, since using an & symbol in the password should work. I'll add one to the internal bug tracking system.

[WillemDH]

Ok, thanks. Thread can be closed. I know the workaround. Grtz!

[jomann]

Updating this because I have a solution to the problem.

First off, to keep it from overwriting your config option, please add the line you posted to the config.local.php (in the same config file directory as the others!) file which is not overwritten on upgrade.

Secondly, the reason you can't log in is because the password was created when the value was set to FALSE. The way around it is to make sure all your passwords (or an admin) is set to not have & and then log in and change/update passwords accordingly.

I looked into "fixing" this in the product itself but I don't see a way to fix it without having someone's system get messed up. I certainly don't want to cause everyone's passwords to not work who didn't change the XSS filter variable. I did some testing and if it's left one way or the other and the password was created while it was set the certain way, it does not have an issue with the & symbol.