Skip to content
This repository has been archived by the owner on Nov 3, 2023. It is now read-only.

Form input placeholder value is not escaped #8505

Closed
barrystaes opened this issue Sep 24, 2016 · 2 comments
Closed

Form input placeholder value is not escaped #8505

barrystaes opened this issue Sep 24, 2016 · 2 comments
Assignees
@leofeyer
Labels
defect
Milestone
3.5.18

Comments

@barrystaes
Copy link

barrystaes commented Sep 24, 2016
edited by leofeyer
Loading

In Contao v3.5.16 when setting a placeholder value for a Security Question input, i noticed that it wasnt escaped properly. This results in mangled HTML or injections even.

I entered this as placeholder value: Uw antwoord om te bevestigen dat u geen "spam bot" bent

And saw this in the HTML for visitors:

<input type="text" name="c1715a89214715466a3d1921ffa47cd05" id="ctrl_19" class="captcha mandatory" value="" placeholder="Uw antwoord om te bevestigen dat u geen "spam bot" bent" maxlength="2" required>

The same problem may exist for other form types, i have not tested further.
@barrystaes barrystaes changed the title Form input placeholder value is not escaped Form input placeholder value is not properly escaped Sep 24, 2016
@barrystaes barrystaes changed the title Form input placeholder value is not properly escaped Form input placeholder value is not escaped Sep 24, 2016
@barrystaes
Copy link
Author

Mildly interesting, but i noticed that Chrome did interpret this as such:

<input type="text" name="c91b3dff314d57fd6ec0e8886d4351b51" id="ctrl_19" class="captcha mandatory" value="" placeholder="Uw antwoord om te bevestigen dat u geen " spam="" bot"="" bent"="" maxlength="2" required="">
                                                                                                                                                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^

@leofeyer leofeyer added this to the 3.5.18 milestone Sep 27, 2016
leofeyer added a commit that referenced this issue Oct 21, 2016
@leofeyer
Apply specialchars() to widget attributes (see #8505).
49d2add
@leofeyer leofeyer self-assigned this Oct 21, 2016
@leofeyer
Copy link
Member

Fixed in 49d2add.

leofeyer added a commit that referenced this issue Oct 26, 2016
@leofeyer
Apply specialchars() to widget attributes (see #8505).
08ef72b
jsonn pushed a commit to jsonn/pkgsrc that referenced this issue Oct 27, 2016
Update contao42 to 4.2.5.
d728d5b 
### 4.2.5 (2016-10-27)

 * Unlock members after password change (see contao/core#8545).
 * Register an alias for the language fallback page model (see
   contao/core#8544).
 * Correctly calculate the maximum length of tl_files.name (see
   contao/core#8536).
 * Correctly add the headline if a content element is versionized (see
   contao/core#8502).
 * Optimize the DCA sorting filter for date fields (see contao/core#8485).
 * Do not show version entries of deleted files (see contao/core#8480).
 * Redirect the empty URL depending on language and alias name (see
   contao/core#8498).
 * Apply `specialchars()` to widget attributes (see contao/core#8505).
 * Queue the requests when rebuilding the search index (see contao/core#8449).
 * Correctly determine the form field names in the file manager (see #600).
 * Correctly show the maximum file size in the form upload widget (see #595).
 * Correctly encode e-mail addresses in the text element (see #594).
 * Do not parse front end templates twice (see #599).
 * Correctly set host and scheme in the URL generator (see #592).
 * Correctly reload the page and file trees in "edit multiple" mode.
 * Correctly normalize the paths in the symlink command.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@leofeyer leofeyer

Labels
defect
Projects
None yet
Milestone
3.5.18
Development

No branches or pull requests
2 participants
@leofeyer @barrystaes