You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Phalcon's Phalcon\Forms\Element\Select element is not escaping the values between the and tags. This allows malicious user to break the html code and execute javascript code.
This is very similar to the closed issue #12428 and brings similar backward compatibility problems (double escaping for users who escape it before injecting data to the form). But it clearly can generate invalid html code as demonstrated below and should be escaped by default. Anyone using this element has to do it anyway.
To Reproduce
$form = new \Phalcon\Forms\Form();
$data = [
1 => 'entry with malicious javascript <script>alert("I could do some dirty job instead");</script>',
2 => 'entry with malicious html </option></select>This appears outside the select box',
];
$select = new \Phalcon\Forms\Element\Select('selector', $data);
$form->add($select);
foreach ($formas$element) {
echo$element;
}
This is the rendered result:
<select id="selector" name="selector">
<option value="1">entry with malicious javascript <script>alert("I could do some dirty job instead");</script></option>
<option value="2">entry with malicious html </option></select>This appears outside the select box</option>
</select>
Expected behavior
Currently, the workaround fix is to escape the data manually
$form = new \Phalcon\Forms\Form();
$escaper = new \Phalcon\Html\Escaper;
$data = [
1 => $escaper->escapeHtml('entry with malicious javascript <script>alert("I could do some dirty job instead");</script>'),
2 => $escaper->escapeHtml('entry with malicious html </option></select>This appears outside the select box'),
];
$select = new \Phalcon\Forms\Element\Select('selector', $data);
$form->add($select);
foreach ($formas$element) {
echo$element;
}
with rendered html code
<select id="selector" name="selector">
<option value="1">entry with malicious javascript <script>alert("I could do some dirty job instead");</script></option>
<option value="2">entry with malicious html </option></select>This appears outside the select box</option>
</select>
Details
Phalcon version: 5.7.0
PHP Version: 8.1.29
Operating System: Rocky Linux 9
Installation type: installing via package manager
Zephir version 0.18.0:
Server: Apache
I know there is newer phalcon and newer PHP but the problem will be he same as it was not reported yet.
The text was updated successfully, but these errors were encountered:
Phalcon's Phalcon\Forms\Element\Select element is not escaping the values between the and tags. This allows malicious user to break the html code and execute javascript code.
This is very similar to the closed issue #12428 and brings similar backward compatibility problems (double escaping for users who escape it before injecting data to the form). But it clearly can generate invalid html code as demonstrated below and should be escaped by default. Anyone using this element has to do it anyway.
To Reproduce
This is the rendered result:
Expected behavior
Currently, the workaround fix is to escape the data manually
with rendered html code
Details
I know there is newer phalcon and newer PHP but the problem will be he same as it was not reported yet.
The text was updated successfully, but these errors were encountered: