Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

html_table ignores escape_html

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Bugs
View previous topic :: View next topic  
Author Message
Stef
Smarty n00b


Joined: 11 Apr 2014
Posts: 2

PostPosted: Fri Apr 11, 2014 2:05 pm    Post subject: html_table ignores escape_html Reply with quote

Hi,

Since a few days I'm hardening a web application which uses smarty as template engine. In order to accelarate the XSS-migration I set the escape_html setting to true and got exaclty the result I expected except for one tag.

I noticed, that html_table completely ignores the escape_html setting and doesn't even accept other attributes like "escape".

Possible Workarounds for this issue include
- Putting every input through the htmlspecialchars php function
- Using {section} or {foreach} for building tables

Is this a Bug or intention?
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany

PostPosted: Fri Apr 11, 2014 7:49 pm    Post subject: Reply with quote

This is not a bug.
Smarty can know what type of content a plugin does return and if or how variables are used. For example the plugin could call a template which output is then already escaped.

But here is the solution. You can attach a modifier to the plugin.

Code:
{html_table|htmlspecialchars  .... }
Back to top
View user's profile Send private message
Stef
Smarty n00b


Joined: 11 Apr 2014
Posts: 2

PostPosted: Wed Apr 23, 2014 9:54 am    Post subject: Reply with quote

U.Tews wrote:
But here is the solution. You can attach a modifier to the plugin.

Code:
{html_table|htmlspecialchars  .... }

Thanks for your answer! Unfortunately it didn't worked for me because when I copied this code, everything (even the table, tr and td-html-tags itself) were escaped and visible to the user instead of only the input data being escaped.

Over the past few days I studied the source code and tried several modifications of the template but the only way I could solve it was by using array_map to call htmlspecialchars during an assignment in PHP (and of course by using the other workarounds which were already postet).
Code:
$smarty->assign('data',array_map("htmlspecialchars",$data));


Thanks anyway
Stef

PS: Due to the fact that html_table simply ignores the escape_html setting it is IMHO a bug, because developers trust the library that when they set the escape_html-option, everything is escaped by default (which is the case for every other element but html_table). So they might get surprised by a XSS vulnerability which they thought would be not possible. But that's just my 50 cent Wink
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP