From f7f20f5fbf26b08ffdd74934293ec783e10c7756 Mon Sep 17 00:00:00 2001
From: michalsn <michal@sniatala.pl>
Date: Sun, 10 May 2020 09:09:10 +0200
Subject: [PATCH 1/2] Filter post data on registration

---
 src/Controllers/AuthController.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/Controllers/AuthController.php b/src/Controllers/AuthController.php
index 594c360c..cc644e67 100644
--- a/src/Controllers/AuthController.php
+++ b/src/Controllers/AuthController.php
@@ -164,7 +164,8 @@ public function attemptRegister()
 		}
 
 		// Save the user
-		$user = new User($this->request->getPost());
+		$allowedPostFields = array_merge(['username', 'email', 'password'], $this->config->personalFields);
+		$user = new User($this->request->getPost($allowedPostFields));
 
 		$this->config->requireActivation !== false ? $user->generateActivateHash() : $user->activate();
 

From 6d09e28aa70d19e51f111d2cbd23b22e1a9671f8 Mon Sep 17 00:00:00 2001
From: michalsn <michal@sniatala.pl>
Date: Mon, 11 May 2020 07:12:56 +0200
Subject: [PATCH 2/2] Add validFields when checking allowed post data

---
 src/Controllers/AuthController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Controllers/AuthController.php b/src/Controllers/AuthController.php
index cc644e67..cc10aff7 100644
--- a/src/Controllers/AuthController.php
+++ b/src/Controllers/AuthController.php
@@ -164,7 +164,7 @@ public function attemptRegister()
 		}
 
 		// Save the user
-		$allowedPostFields = array_merge(['username', 'email', 'password'], $this->config->personalFields);
+		$allowedPostFields = array_merge(['password'], $this->config->validFields, $this->config->personalFields);
 		$user = new User($this->request->getPost($allowedPostFields));
 
 		$this->config->requireActivation !== false ? $user->generateActivateHash() : $user->activate();