Merge branch 'js_escape_security_fix'

smarty-php · Mar 28, 2023 · 6856624 · 6856624
2 parents 5512d64 + 71d1135
commit 6856624
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Security
+- Fixed Cross site scripting vulnerability in Javascript escaping. This addresses CVE-2023-28447.
+
 ### Fixed
 - `$smarty->muteUndefinedOrNullWarnings()` now also mutes PHP7 notices for undefined array indexes [#736](https://github.com/smarty-php/smarty/issues/736)
 - `$smarty->muteUndefinedOrNullWarnings()` now treats undefined vars and array access of a null or false variables 

diff --git a/libs/plugins/modifier.escape.php b/libs/plugins/modifier.escape.php
@@ -115,7 +115,9 @@ function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $
                     // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
                     '<!--' => '<\!--',
                     '<s'   => '<\s',
-                    '<S'   => '<\S'
+                    '<S'   => '<\S',
+	                "`" => "\\\\`",
+	                "\${" => "\\\\\\$\\{"
                 )
             );
         case 'mail':

diff --git a/libs/plugins/modifiercompiler.escape.php b/libs/plugins/modifiercompiler.escape.php
@@ -64,7 +64,9 @@ function smarty_modifiercompiler_escape($params, Smarty_Internal_TemplateCompile
                 // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
                 return 'strtr((string)' .
                        $params[ 0 ] .
-                       ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S" ))';
+                       ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", 
+                       "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S",
+                       "`" => "\\\\`", "\${" => "\\\\\\$\\{"))';
         }
     } catch (SmartyException $e) {
         // pass through to regular plugin fallback

diff --git a/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php b/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php
@@ -237,4 +237,25 @@ public function testNonstdWithoutMbstring()
         $this->assertEquals("sma'rty@&#187;example&#171;.com", $this->smarty->fetch($tpl));
         Smarty::$_MBSTRING = true;
     }
+
+	public function testTemplateLiteralBackticks()
+	{
+		$tpl = $this->smarty->createTemplate('string:{"`Hello, World!`"|escape:"javascript"}');
+		$this->assertEquals("\\`Hello, World!\\`", $this->smarty->fetch($tpl));
+	}
+
+	public function testTemplateLiteralInterpolation()
+	{
+		$tpl = $this->smarty->createTemplate('string:{$vector|escape:"javascript"}');
+		$this->smarty->assign('vector', "`Hello, \${name}!`");
+		$this->assertEquals("\\`Hello, \\\$\\{name}!\\`", $this->smarty->fetch($tpl));
+	}
+
+	public function testTemplateLiteralBackticksAndInterpolation()
+	{
+		$this->smarty->assign('vector', '`${alert(`Hello, ${name}!`)}${`\n`}`');
+		$tpl = $this->smarty->createTemplate('string:{$vector|escape:"javascript"}');
+		$this->assertEquals("\\`\\\$\\{alert(\\`Hello, \\\$\\{name}!\\`)}\\\$\\{\\`\\\\n\\`}\\`", $this->smarty->fetch($tpl));
+	}
+
 }
diff --git a/tests/UnitTests/TemplateSource/ValueTests/Operators/templates_c/.gitignore b/tests/UnitTests/TemplateSource/ValueTests/Operators/templates_c/.gitignore
@@ -0,0 +1,2 @@
+# Ignore anything in here, but keep this directory
+*