XSS issue: </textarea> not escaped on comment editing form

[hi2u]

This is really a cphalcon level issue, so I've posted the main issue there: phalcon/cphalcon#12428

But I've noticed the Phalcon forum itself isn't accounting for this, probably like most other Phalcon sites out there.

See my demo post here: https://forum.phalconphp.com/discussion/14891/this-is-a-demonstration-of-phalcons-inconsistent-text-and-textar#C43323

By entering that text as my first comment, then returning to form to edit the comment, I got the form to do this:

Also it seems that the <title> is either filtering on input or output and causing an escaping issue. View the source of that forum post, and you'll see

<title>This is a demonstration of Phalcon&amp;#039;s inconsistent Text and TextArea escaping - Discussion - Phalcon Framework</title>

When hovering on my browser tab, that displays as:

This is a demonstration of Phalcon's inconsistent Text and TextArea escaping

It should instead be:

This is a demonstration of Phalcon's inconsistent Text and TextArea escaping

[sergeyklay]

@hi2u

Thank you for pointing the problem in the forum source code.

As @niden has already explained to you in phalcon/cphalcon#12428, we can't make the changes you are talking about, in the current branch Phalcon API, because it would break backward compatibility. Many projects escape output independently.

You can see how to get rid of this problem in my commit: d664062

To do so, you don't need to release a new version of Phalcon or even worse, break working projects which already use escaping.

Fixed in the 3.0.x branch. I'll release a new minor Forum version as soon as possible.
Thanks