Skip to content
Permalink
Browse files
Encode the html when html is allowed
  • Loading branch information
carakas committed Aug 29, 2021
1 parent 60e69d2 commit f0b4894dab6b4922249bec4a5be90aff39829ab6
@@ -109,7 +109,7 @@ public function isFilled()
public function parse($template = null)
{
// start html generation
$output = '<input type="hidden" value="' . SpoonFilter::htmlspecialchars($this->getValue()) . '"';
$output = '<input type="hidden" value="' . $this->getValue(false) . '"';

// build attributes
$attributes = array();
@@ -789,7 +789,7 @@ public function parse($template = null)

// start html generation
// note: no need to encode the value here, it gets encoding in the getter as long as $allowHTML=true
$output = '<input value="' . $this->getValue() . '"';
$output = '<input value="' . $this->getValue(false) . '"';

// add attributes
$output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue())) . ' />';
@@ -302,7 +302,7 @@ public function parse($template = null)
$output = '<textarea';

// add attributes
$output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue()));
$output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue(false)));

// close first tag
$output .= '>';
@@ -64,7 +64,7 @@ public function testParse()
// Make sure we encode XSS payloads
$_POST['hidden'] = 'But I am le tired\'"()%26%25<yes><ScRiPt%20>alert(1)</ScRiPt>';
$this->assertEquals(
'<input type="hidden" value="But I am le tired&amp;#039;&amp;quot;()%26%25&amp;lt;yes&amp;gt;&amp;lt;ScRiPt%20&amp;gt;alert(1)&amp;lt;/ScRiPt&amp;gt;" id="hidden" name="hidden" />',
'<input type="hidden" value="But I am le tired&#039;&quot;()%26%25&lt;yes&gt;&lt;ScRiPt%20&gt;alert(1)&lt;/ScRiPt&gt;" id="hidden" name="hidden" />',
$this->hidHidden->parse()
);
}
@@ -352,12 +352,33 @@ public function testParse()
'<input value="But I am le tired&#039;&quot;()%26%25&lt;yes&gt;&lt;ScRiPt%20&gt;alert(1)&lt;/ScRiPt&gt;" id="name" name="name" type="text" class="inputText" />',
$this->txtName->parse()
);
$_POST['name'] = '"><svg/onload=alert(document.domain)>';
$this->assertEquals(
'<input value="&quot;&gt;&lt;svg/onload=alert(document.domain)&gt;" id="name" name="name" type="text" class="inputText" />',
$this->txtName->parse()
);

// Make sure we do not do double encoding on the ampersand
$_POST['name'] = 'Something & something else';
$this->assertEquals(
'<input value="Something &amp; something else" id="name" name="name" type="text" class="inputText" />',
$this->txtName->parse()
);

// now let's try it with HTML allowed
$this->txtName = new SpoonFormText('name', 'I am the default value', null, 'inputText', 'inputTextError', true);
$this->frm->add($this->txtName);

$_POST['name'] = '"><svg/onload=alert(document.domain)>';
$this->assertEquals(
'<input value="&quot;&gt;&lt;svg/onload=alert(document.domain)&gt;" id="name" name="name" type="text" class="inputText" />',
$this->txtName->parse()
);

$_POST['name'] = 'Something & something else';
$this->assertEquals(
'<input value="Something &amp; something else" id="name" name="name" type="text" class="inputText" />',
$this->txtName->parse()
);
}
}
@@ -106,4 +106,16 @@ public function testGetValue()
$_POST['message'] = array('foo', 'bar');
$this->assertEquals('Array', $this->txtMessage->getValue(true));
}

public function testXSS()
{
$_POST['form'] = 'textarea';
$_POST['message'] = '"><svg/onload=alert(document.domain)>';
$this->assertEquals(SpoonFilter::htmlspecialchars($_POST['message']), $this->txtMessage->getValue());
$this->assertEquals('<textarea id="message" name="message" cols="62" rows="5" class="inputTextarea">&quot;&gt;&lt;svg/onload=alert(document.domain)&gt;</textarea>', $this->txtMessage->parse());

$this->txtMessage = new SpoonFormTextarea('message', 'I am the default value', 'inputTextarea', 'inputTextareaError', true);
$this->frm->add($this->txtMessage);
$this->assertEquals('<textarea id="message" name="message" cols="62" rows="5" class="inputTextarea">&quot;&gt;&lt;svg/onload=alert(document.domain)&gt;</textarea>', $this->txtMessage->parse());
}
}

0 comments on commit f0b4894

Please sign in to comment.