You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adding messages to the Phalcon\Flash\Session object will cause the contents of the message to remain unecaped when they are displayed, possibly allowing an attacker to inject HTML into the page (XSS).
Class affected:\Phalcon\Flash\Session
Method used:{{ flashSession.output() }}
System details
Phalcon version: 2.0.10
OS: Tested on Ubuntu
Code examples
// Setting the session in my dependency injection object$di->set('flashSession, function() { return new Session([ 'error' => 'alert alert-danger',
'success' => 'alert alert-success',
'notice' => 'alert alert-info',
'warning' => 'alert alert-warning'
]);
});
// Adding messages inside of a controller$this->flashSession->success("<script>alert('This will execute as JavaScript!')</script>");
// Echoing out the messages in a volt template (the message is printed as HTML)
{{ flashSession.output() }}
// Same result (printed as HTML)
{{ flashSession.output() | escape }}
// Also the same result (printed as HTML)
{% autoescape true%}
{{ flashSession.output() }}
{% endautoescape %}
The text was updated successfully, but these errors were encountered:
Summary
Adding messages to the
Phalcon\Flash\Session
object will cause the contents of the message to remain unecaped when they are displayed, possibly allowing an attacker to inject HTML into the page (XSS).\Phalcon\Flash\Session
{{ flashSession.output() }}
System details
Code examples
// Echoing out the messages in a volt template (the message is printed as HTML) {{ flashSession.output() }}
// Same result (printed as HTML) {{ flashSession.output() | escape }}
The text was updated successfully, but these errors were encountered: