Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible XSS vulnerability #52

Open
enferas opened this issue Dec 27, 2022 · 1 comment
Open

Possible XSS vulnerability #52

enferas opened this issue Dec 27, 2022 · 1 comment

Comments

@enferas
Copy link

enferas commented Dec 27, 2022

Hello,

I would like to report for possible XSS vulnerability.

In file classroombookings-master\application\controllers\Weeks.php in function save_week

the input 'bgcol' will be saved in the DB and passed to the view when it will be printed without sanitization.

$data = array(
	'name' => $this->input->post('name'),
	'bgcol' => $this->input->post('bgcol'),
);
if ($week_id = $this->weeks_model->insert($data)) {
//...
}

In file classroombookings-master\application\models\Weeks_model.php

public function insert($data){
  $data = $this->sleep_values($data);
  
  $insert = $this->db->insert($this->table, $data);
  
  return $insert ? $this->db->insert_id() : FALSE;
}

In file classroombookings-master\application\controllers\Weeks.php in function save_week

public function index(){
  $this->data['weeks'] = $this->weeks_model->get_all();
  $this->data['title'] = $this->data['showtitle'] = 'Timetable Weeks';
  
  $body = $this->load->view('weeks/index', $this->data, TRUE);
  
  $this->data['body'] = $body;
  
  return $this->render();
}

In file classroombookings-master\application\models\Weeks_model.php

public function get_all(){
  $query = $this->db->from($this->table)
	  ->order_by('name', 'ASC')
	  ->get();
  
  if ($query->num_rows() > 0) {
	  $result = $query->result();
	  //..
	  return $result;
  }
}

The
In file C:\transfer_projects\classroombooking\classroombookings-master\application\views\weeks\index.php

<?php
foreach ($weeks as $week) {
//...
	$dot = week_dot($week);
        echo "<td style='text-align:center'>{$dot}</td>";
//...
}
?>

In file classroombookings-master\application\helpers\week_helper.php

function week_dot($week, $size = 'md')
{
	$col = $week->bgcol;
	$col = str_replace('#', '', $col);
	$col = '#' . $col;

	$out = "<span class='dot dot-week dot-size-{$size}' style='background-color:{$col}'></span>";
	return $out;
}
@craigrodway
Copy link
Owner

Hello Feras, thanks for reporting this issue. This will be addressed in a future version.

The validation rules for bgcol ensure it is exactly 6-7 characters, which reduces the chances of most attacks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants