Fixed an XSS vulnerability in the Twig Extension #1173

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
2 participants

The render_relation_element filter (in contrast to the other two filters) does not use a template for rendering, but simply returns the __toString() value of the given object (that's the default behavior). However, the method was marked as HTML-safe. This leads to the fact that any string returned by __toString() (which often comes from direct user input) is output without any escaping. This makes the filter vulnerable to a Stored Cross-Site Scripting attack. The vulnerability has been fixed in this commit.

Attack vector example: I have a one-to-many relationship between Parent and Child. The __toString() method returns the name of the child, which is direct user input. In the configureListFields method of ParentAdmin, I want all the children to be listed: $listMapper->add('children', 'orm_one_to_many');. If an attacker enters <script>alert('XSS');</script> in the child name field, the script code is executed as soon as anybody views the Parent list. This is because the render_relation_element filter is marked as HTML safe.

Thomas Konrad Fixed an XSS vulnerability in the Twig Extension
The 'render_relation_element' filter (in contrast to the other two
filters) does not use a template for rendering, but simply returns the
'__toString()' value of the given object (that's the default behavior).
However, the method was marked as HTML-safe. This leads to the fact
that any string returned by '__toString()' (which often comes from
direct user input) is output without any escaping. This makes the
filter vulnerable to a Stored Cross-Site Scripting attack. The
vulnerability has been fixed in this commit.
1fd119d

By the way, this has already be mentioned (but somehow ignored) by @timurib here: #916.

Guys, I think this is a serious issue. Any updates on it?

Owner

rande commented Mar 27, 2013

Fixed thanks for reporting.

rande closed this Mar 27, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment