Flash messages vulnerable to XSS attacks

[Paradoxis]

Summary

Adding messages to the Phalcon\Flash\Session object will cause the contents of the message to remain unecaped when they are displayed, possibly allowing an attacker to inject HTML into the page (XSS).

• Class affected: \Phalcon\Flash\Session
• Method used: {{ flashSession.output() }}

System details

• Phalcon version: 2.0.10
• OS: Tested on Ubuntu

Code examples

// Setting the session in my dependency injection object
$di->set('flashSession, function() {
  return new Session([
        'error'   => 'alert alert-danger',
        'success' => 'alert alert-success',
        'notice'  => 'alert alert-info',
        'warning' => 'alert alert-warning'
    ]);
});

// Adding messages inside of a controller
$this->flashSession->success("<script>alert('This will execute as JavaScript!')</script>");

// Echoing out the messages in a volt template (the message is printed as HTML)
{{ flashSession.output() }} 

// Same result (printed as HTML)
{{ flashSession.output() | escape }}

// Also the same result (printed as HTML)
{% autoescape true %}
  {{ flashSession.output() }}
{% endautoescape %}

[googlle]

+1

[sergeyklay]

Fixed in 2.1.x