New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross-site scripting vulnerability #1297
Comments
|
Hello there! Thanks for opening your first issue on this repo! Just a heads-up: Here at Backpack we use Github Issues only for tracking bugs. Talk about new features is also acceptable. This helps a lot in keeping our focus on improving Backpack. If you issue is not a bug/feature, please help us out by closing the issue yourself and posting in the appropriate medium (see below). If you're not sure where it fits, it's ok, a community member will probably reply to help you with that. Backpack communication mediums:
Please keep in mind Backpack offers no official / paid support. Whatever help you receive here, on Gitter, Slack or Stackoverflow is thanks to our awesome awesome community members, who give up some of their time to help their peers. If you want to join our community, just start pitching in. We take pride in being a welcoming bunch. Thank you! -- |
|
Hi @noh4ck , Thanks for revealing this. I do agree with the small change, since I don't see anybody using the But IMHO, the Cheers! PS. I may be wrong on "best practice in Laravel" here. I know developers are always devided about XSS - wether it's best to filter |
|
@tabacitu The XSS primarily comes in via a frontend/website, not trough the backpack panel (that seems to not matter btw. writing html directly in backpack does the same thing). As far as I know, when it comes to XSS best practices in laravel, the only way XSS can be a problem is if you use As I mentioned in my bug report, this only happens when using |
|
Got it, thank you! I think the best option here would be to use the Will follow up with a PR in a few minutes. |
|
Fixed in 8b6bd0a Will tag later today. Thank you @noh4ck ! |
|
Hi, how about make it optional? For example i would like to add column like phpmyadmin has to handle foreign keys. Ale User (creator) model: |
|
@mgralikowski take a look at the |
|
Yes, i know this functions and use in project but in this case.. Let's try:
Suggestions? |
|
@mgralikowski I think I understand what you're saying - it's pretty inconvenient, I agree. We might be able to create a series of different column types for links, but there would be just as many as the select column types, since there are a bunch of different use cases here: no relationship, 1-1 relationship, 1-n relationship, n-n relationship. In each of those cases, the process of getting the TEXT to show in the link and the LINK would be different. But here's the kicker, and why we haven't created them so far: you, as a developer, would still need to create a link accessor on your model. Otherwise there's no way to know what the link is. So our logic so far has been that, since you're already creating an accessor, why complicate things with a bunch of column types, when you can have total customization by writing them in your accessor. If I'm wrong and you see a different way to do this, please open a separate issue, we've been going further away from the topic here. Cheers! |
Bug report
Relational columns (select) does not escape html which allows scripts to be executed!
https://github.com/Laravel-Backpack/CRUD/blob/master/src/resources/views/columns/select.blade.php
What I did:
What I expected to happen:
The column should escape all html, and render it as text.
What happened:
If the team name contains html and javascript, e.g:
Then the alert will pop up if that column is loaded.
What I've already tried to fix it:
src/resources/views/columns/select.blade.php<span> <?php $attributes = $crud->getModelAttributeFromRelation($entry, $column['entity'], $column['attribute']); if (count($attributes)) { - echo implode(', ', $attributes); + echo htmlspecialchars(implode(', ', $attributes)); } else { echo '-'; } ?> </span>Backpack, Laravel, PHP, DB version:
{ "backpack/base": "^0.9.0", "backpack/crud": "^3.4", "laravel/framework": "5.5.*" }The text was updated successfully, but these errors were encountered: