Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Fixed an XSS vulnerability in the Twig Extension #1173

Closed
wants to merge 1 commit into from

2 participants

@thomaskonrad

The render_relation_element filter (in contrast to the other two filters) does not use a template for rendering, but simply returns the __toString() value of the given object (that's the default behavior). However, the method was marked as HTML-safe. This leads to the fact that any string returned by __toString() (which often comes from direct user input) is output without any escaping. This makes the filter vulnerable to a Stored Cross-Site Scripting attack. The vulnerability has been fixed in this commit.

Attack vector example: I have a one-to-many relationship between Parent and Child. The __toString() method returns the name of the child, which is direct user input. In the configureListFields method of ParentAdmin, I want all the children to be listed: $listMapper->add('children', 'orm_one_to_many');. If an attacker enters <script>alert('XSS');</script> in the child name field, the script code is executed as soon as anybody views the Parent list. This is because the render_relation_element filter is marked as HTML safe.

Thomas Konrad Fixed an XSS vulnerability in the Twig Extension
The 'render_relation_element' filter (in contrast to the other two
filters) does not use a template for rendering, but simply returns the
'__toString()' value of the given object (that's the default behavior).
However, the method was marked as HTML-safe. This leads to the fact
that any string returned by '__toString()' (which often comes from
direct user input) is output without any escaping. This makes the
filter vulnerable to a Stored Cross-Site Scripting attack. The
vulnerability has been fixed in this commit.
1fd119d
@thomaskonrad

By the way, this has already be mentioned (but somehow ignored) by @timurib here: #916.

@thomaskonrad

Guys, I think this is a serious issue. Any updates on it?

@rande
Owner

Fixed thanks for reporting.

@rande rande closed this
@CodingNinja CodingNinja referenced this pull request from a commit
@rande rande Fix XSS issue reported by #1173 9fa147d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 15, 2013
  1. Fixed an XSS vulnerability in the Twig Extension

    Thomas Konrad authored
    The 'render_relation_element' filter (in contrast to the other two
    filters) does not use a template for rendering, but simply returns the
    '__toString()' value of the given object (that's the default behavior).
    However, the method was marked as HTML-safe. This leads to the fact
    that any string returned by '__toString()' (which often comes from
    direct user input) is output without any escaping. This makes the
    filter vulnerable to a Stored Cross-Site Scripting attack. The
    vulnerability has been fixed in this commit.
This page is out of date. Refresh to see the latest.
Showing with 1 addition and 1 deletion.
  1. +1 −1  Twig/Extension/SonataAdminExtension.php
View
2  Twig/Extension/SonataAdminExtension.php
@@ -40,7 +40,7 @@ public function getFilters()
return array(
'render_list_element' => new \Twig_Filter_Method($this, 'renderListElement', array('is_safe' => array('html'))),
'render_view_element' => new \Twig_Filter_Method($this, 'renderViewElement', array('is_safe' => array('html'))),
- 'render_relation_element' => new \Twig_Filter_Method($this, 'renderRelationElement', array('is_safe' => array('html'))),
+ 'render_relation_element' => new \Twig_Filter_Method($this, 'renderRelationElement'),
);
}
Something went wrong with that request. Please try again.