Smarty Forum Index Smarty
The discussions here are for Smarty, a template engine for the PHP programming language.

security issue: escaping strings in event handlers

 
Post new topic   Reply to topic    Smarty Forum Index -> Plugins
View previous topic :: View next topic  
Author Message
douglassdavis
Smarty Junkie


Joined: 21 Jan 2008
Posts: 541

PostPosted: Thu Dec 11, 2014 5:40 am    Post subject: security issue: escaping strings in event handlers Reply with quote

I noticed that there is no option in the escape modifier to sufficiently escape an untrusted string added to an event handler such as onclick.

For the example below, say that $user_input is untrusted data.

In PHP :
Code:

$user_input = ''); alert('Running  injected JS here'); alert('';
$smarty->assign('user_input', $user_input);


In the smarty template:
Code:

<h1 onclick = "alert('The user entered: <{$user_input|escape:'javascript'}>'); return false;" > Click Me!  </h1>


Escaping with the javascript option would allow a user to run arbitrary javascript code. Escaping with the html option is not enough either.

So, I added an "htmlevent" option to the escape modifier which is a combination of both (v2):

Code:

        case 'htmlevent':
            // in html event handler, first escape javascript, then html
            $string = strtr($string, array('\\'=>'\\\\',"'"=>"\\'",'"'=>'\\"',"\r"=>'\\r',"\n"=>'\\n','</'=>'<\/'));
            return htmlspecialchars($string, ENT_QUOTES, $char_set);


That way if you ever have to use an untrusted string in an event handler, you can escape using the htmlevent option to avoid cross site scripting attacks.

- Doug
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Smarty Forum Index -> Plugins All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP