Skip to content

Commit

Permalink
Merge branch 'js_escape_security_fix'
Browse files Browse the repository at this point in the history
  • Loading branch information
wisskid committed Mar 28, 2023
2 parents 5512d64 + 71d1135 commit 6856624
Show file tree
Hide file tree
Showing 5 changed files with 32 additions and 2 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Security
- Fixed Cross site scripting vulnerability in Javascript escaping. This addresses CVE-2023-28447.

### Fixed
- `$smarty->muteUndefinedOrNullWarnings()` now also mutes PHP7 notices for undefined array indexes [#736](https://github.com/smarty-php/smarty/issues/736)
- `$smarty->muteUndefinedOrNullWarnings()` now treats undefined vars and array access of a null or false variables
Expand Down
4 changes: 3 additions & 1 deletion libs/plugins/modifier.escape.php
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,9 @@ function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $
// see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
'<!--' => '<\!--',
'<s' => '<\s',
'<S' => '<\S'
'<S' => '<\S',
"`" => "\\\\`",
"\${" => "\\\\\\$\\{"
)
);
case 'mail':
Expand Down
4 changes: 3 additions & 1 deletion libs/plugins/modifiercompiler.escape.php
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,9 @@ function smarty_modifiercompiler_escape($params, Smarty_Internal_TemplateCompile
// see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
return 'strtr((string)' .
$params[ 0 ] .
', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S" ))';
', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r",
"\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S",
"`" => "\\\\`", "\${" => "\\\\\\$\\{"))';
}
} catch (SmartyException $e) {
// pass through to regular plugin fallback
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -237,4 +237,25 @@ public function testNonstdWithoutMbstring()
$this->assertEquals("sma'rty@&#187;example&#171;.com", $this->smarty->fetch($tpl));
Smarty::$_MBSTRING = true;
}

public function testTemplateLiteralBackticks()
{
$tpl = $this->smarty->createTemplate('string:{"`Hello, World!`"|escape:"javascript"}');
$this->assertEquals("\\`Hello, World!\\`", $this->smarty->fetch($tpl));
}

public function testTemplateLiteralInterpolation()
{
$tpl = $this->smarty->createTemplate('string:{$vector|escape:"javascript"}');
$this->smarty->assign('vector', "`Hello, \${name}!`");
$this->assertEquals("\\`Hello, \\\$\\{name}!\\`", $this->smarty->fetch($tpl));
}

public function testTemplateLiteralBackticksAndInterpolation()
{
$this->smarty->assign('vector', '`${alert(`Hello, ${name}!`)}${`\n`}`');
$tpl = $this->smarty->createTemplate('string:{$vector|escape:"javascript"}');
$this->assertEquals("\\`\\\$\\{alert(\\`Hello, \\\$\\{name}!\\`)}\\\$\\{\\`\\\\n\\`}\\`", $this->smarty->fetch($tpl));
}

}
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# Ignore anything in here, but keep this directory
*

0 comments on commit 6856624

Please sign in to comment.