Skip to content

Cross-site scripting vulnerability #1297

Closed
@Nohac

Description

@Nohac

Bug report

Relational columns (select) does not escape html which allows scripts to be executed!
https://github.com/Laravel-Backpack/CRUD/blob/master/src/resources/views/columns/select.blade.php

What I did:

$this->crud->setColumnDetails('team_id', [
    'label' => 'Team',
    'type' => "select",
    'name' => 'team_id',
    'entity' => 'team',
    'attribute' => "name",
    'model' => "App\Team",
]);

What I expected to happen:

The column should escape all html, and render it as text.

What happened:

If the team name contains html and javascript, e.g:

<script>alert('pwnd')</script>

Then the alert will pop up if that column is loaded.

What I've already tried to fix it:

src/resources/views/columns/select.blade.php

<span>
    <?php
        $attributes = $crud->getModelAttributeFromRelation($entry, $column['entity'], $column['attribute']);
        if (count($attributes)) {
-            echo implode(', ', $attributes);
+            echo htmlspecialchars(implode(', ', $attributes));
        } else {
            echo '-';
        }
    ?>
</span>

Backpack, Laravel, PHP, DB version:

{
    "backpack/base": "^0.9.0",
    "backpack/crud": "^3.4",
    "laravel/framework": "5.5.*"
}
PHP 7.2.3 (cli) (built: Mar  1 2018 16:50:09) ( NTS )
5.7.21 - MySQL Community Server (GPL) 

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions