Use userControl and not XSS check to validate username (#666)

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm

@@ -69,7 +69,7 @@ use Digest::MD5;
 #inherits Apache::Session
 #link Lemonldap::NG::Common::Apache::Session::SOAP protected globalStorage
 
-our $VERSION = '1.3.1';
+our $VERSION = '1.3.2';
 
 use base qw(Lemonldap::NG::Common::CGI Exporter);
 our @ISA;
@@ -674,6 +674,7 @@ sub setDefaultValues {
 
     # XSS
     $self->{checkXSS} = 1 unless defined $self->{checkXSS};
+    $self->{userControl} ||= '^[\w\.\-@]+$';
 }
 
 ## @method protected void setHiddenFormValue(string fieldname, string value, string prefix, boolean base64)
@@ -1233,10 +1234,20 @@ sub get_url {
 # @return user parameter if good, nothing else.
 sub get_user {
     my $self = shift;
-    return "" unless $self->{user};
-    return $self->{user}
-      unless ( $self->checkXSSAttack( 'user', $self->{user} ) );
-    return "";
+
+    return undef unless $self->{user};
+    unless ( $self->{user} =~ /$self->{userControl}/o ) {
+        $self->lmLog(
+            "Value "
+              . $self->{user}
+              . " does not match userControl regexp: "
+              . $self->{userControl},
+            'warn'
+        );
+        return undef;
+    }
+
+    return $self->{user};
 }
 
 ## @method string get_module(string type)

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_WebForm.pm

@@ -8,7 +8,7 @@ package Lemonldap::NG::Portal::_WebForm;
 use Lemonldap::NG::Portal::Simple qw(:all);
 use strict;
 
-our $VERSION = '1.3.1';
+our $VERSION = '1.3.2';
 
 ## @apmethod int authInit()
 # Does nothing.
@@ -96,10 +96,9 @@ sub extractFormInfo {
 
     # Other parameters
     $self->{timezone} = $self->param('timezone');
-    $self->{userControl} ||= '^[\w\.\-@]+$';
 
     # Check user
-    return PE_MALFORMEDUSER unless ( $self->{user} =~ /$self->{userControl}/o );
+    return PE_MALFORMEDUSER unless $self->get_user;
 
     PE_OK;
 }