Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

security issue: escaping strings in event handlers

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Plugins
View previous topic :: View next topic  
Author Message
douglassdavis
Smarty Junkie


Joined: 21 Jan 2008
Posts: 541

PostPosted: Thu Dec 11, 2014 5:40 am    Post subject: security issue: escaping strings in event handlers Reply with quote

I noticed that there is no option in the escape modifier to sufficiently escape an untrusted string added to an event handler such as onclick.

For the example below, say that $user_input is untrusted data.

In PHP :
Code:

$user_input = ''); alert('Running  injected JS here'); alert('';
$smarty->assign('user_input', $user_input);


In the smarty template:
Code:

<h1 onclick = "alert('The user entered: <{$user_input|escape:'javascript'}>'); return false;" > Click Me!  </h1>


Escaping with the javascript option would allow a user to run arbitrary javascript code. Escaping with the html option is not enough either.

So, I added an "htmlevent" option to the escape modifier which is a combination of both (v2):

Code:

        case 'htmlevent':
            // in html event handler, first escape javascript, then html
            $string = strtr($string, array('\\'=>'\\\\',"'"=>"\\'",'"'=>'\\"',"\r"=>'\\r',"\n"=>'\\n','</'=>'<\/'));
            return htmlspecialchars($string, ENT_QUOTES, $char_set);


That way if you ever have to use an untrusted string in an event handler, you can escape using the htmlevent option to avoid cross site scripting attacks.

- Doug
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Plugins All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP