Closed
Description
Bug report
Relational columns (select) does not escape html which allows scripts to be executed!
https://github.com/Laravel-Backpack/CRUD/blob/master/src/resources/views/columns/select.blade.php
What I did:
$this->crud->setColumnDetails('team_id', [
'label' => 'Team',
'type' => "select",
'name' => 'team_id',
'entity' => 'team',
'attribute' => "name",
'model' => "App\Team",
]);What I expected to happen:
The column should escape all html, and render it as text.
What happened:
If the team name contains html and javascript, e.g:
<script>alert('pwnd')</script>Then the alert will pop up if that column is loaded.
What I've already tried to fix it:
src/resources/views/columns/select.blade.php
<span>
<?php
$attributes = $crud->getModelAttributeFromRelation($entry, $column['entity'], $column['attribute']);
if (count($attributes)) {
- echo implode(', ', $attributes);
+ echo htmlspecialchars(implode(', ', $attributes));
} else {
echo '-';
}
?>
</span>Backpack, Laravel, PHP, DB version:
{
"backpack/base": "^0.9.0",
"backpack/crud": "^3.4",
"laravel/framework": "5.5.*"
}PHP 7.2.3 (cli) (built: Mar 1 2018 16:50:09) ( NTS )
5.7.21 - MySQL Community Server (GPL)