|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
Stef Smarty n00b
Joined: 11 Apr 2014 Posts: 2
|
Posted: Fri Apr 11, 2014 2:05 pm Post subject: html_table ignores escape_html |
|
|
Hi,
Since a few days I'm hardening a web application which uses smarty as template engine. In order to accelarate the XSS-migration I set the escape_html setting to true and got exaclty the result I expected except for one tag.
I noticed, that html_table completely ignores the escape_html setting and doesn't even accept other attributes like "escape".
Possible Workarounds for this issue include
- Putting every input through the htmlspecialchars php function
- Using {section} or {foreach} for building tables
Is this a Bug or intention? |
|
Back to top |
|
U.Tews Administrator
Joined: 22 Nov 2006 Posts: 5068 Location: Hamburg / Germany
|
Posted: Fri Apr 11, 2014 7:49 pm Post subject: |
|
|
This is not a bug.
Smarty can know what type of content a plugin does return and if or how variables are used. For example the plugin could call a template which output is then already escaped.
But here is the solution. You can attach a modifier to the plugin.
Code: | {html_table|htmlspecialchars .... } |
|
|
Back to top |
|
Stef Smarty n00b
Joined: 11 Apr 2014 Posts: 2
|
Posted: Wed Apr 23, 2014 9:54 am Post subject: |
|
|
U.Tews wrote: | But here is the solution. You can attach a modifier to the plugin.
Code: | {html_table|htmlspecialchars .... } |
|
Thanks for your answer! Unfortunately it didn't worked for me because when I copied this code, everything (even the table, tr and td-html-tags itself) were escaped and visible to the user instead of only the input data being escaped.
Over the past few days I studied the source code and tried several modifications of the template but the only way I could solve it was by using array_map to call htmlspecialchars during an assignment in PHP (and of course by using the other workarounds which were already postet).
Code: | $smarty->assign('data',array_map("htmlspecialchars",$data)); |
Thanks anyway
Stef
PS: Due to the fact that html_table simply ignores the escape_html setting it is IMHO a bug, because developers trust the library that when they set the escape_html-option, everything is escaped by default (which is the case for every other element but html_table). So they might get surprised by a XSS vulnerability which they thought would be not possible. But that's just my 50 cent |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|