Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Encode checkbox value to prevent XSS attack #584

Merged
merged 1 commit into from Aug 20, 2019

Conversation

carlosvini
Copy link
Contributor

@carlosvini carlosvini commented Jun 12, 2019

Hi,

The default behavior of Former is to use $_GET variables to populate the form fields, If I understood correctly.

This makes a XSS attack possible because checkbox are not escaping their values.

A similar fix was made here in 2014 for hidden inputs: 5859644

I had a hard time trying to use the right version for the tests, since there's no composer.lock, but when I got it right all tests passed.

Steps to reproduce:

  • Create new Laravel app
  • Install Former through Composer
  • Add code to welcome.blade.php:
    {!! Former::checkbox('test') !!}
  • run php artisan serve
  • Open URL:
http://127.0.0.1:8000/?test="><h1><i>some HTML here</i></h1>

Expected behavior:

  • Value would be escaped/encoded, no HTML would be rendered

What happens:

  • HTML is displayed (XSS attack)

@carlosvini
Copy link
Contributor Author

carlosvini commented Jun 14, 2019

It seems passing the checkbox name on the $_GET as array is also a problem, i.e. ?name[]=X instead of only ?name=X

Like: http://127.0.0.1:8000/?test[]="><h1><i>some HTML here</i></h1>

But this time the label tag has unescaped HTML. The previous mentioned problem had HTML inside the attribute value of the input tag.

I will see if I find time to make a pull request for this one too.

@claar claar merged commit 81f0969 into formers:master Aug 20, 2019
ricardosierra added a commit to SierraTecnologia/former that referenced this pull request Jun 16, 2020
* 'master' of github.com:formers/former: (47 commits)
  Support Laravel 7
  Fix errors when using rules in validation array
  Add tests
  Fix errors when using rules in validation array
  Laravel 6 support (formers#591)
  Adds correct checkbox input class when is a checkbox (or radio) (formers#590)
  Encode checkbox value to prevent XSS attack (formers#584)
  Fix the Bootstrap 4 help blocks
  Fix tabs vs spaces :)
  Fix Bootstrap 4 validation messages not being colored red
  Fix the error state for Bootstrap 4
  Fix TwitterBootstrap4 blockHelp
  Add default TwitterBootstrap4 config
  Adding support for Bootstrap 4 (formers#577)
  Add Choice field type
  Add field modifiers to store moethod signature metadata and postpone framework classes until render time
  Checkable allow setting inline, stacked, grouped via boolaen attribute
  Allow setting required via boolean attribute per formers#571
  Update README.md
  Revert "Encode select options (formers#555)"
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants