|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
douglassdavis Smarty Junkie
Joined: 21 Jan 2008 Posts: 541
|
Posted: Thu Dec 11, 2014 5:40 am Post subject: security issue: escaping strings in event handlers |
|
|
I noticed that there is no option in the escape modifier to sufficiently escape an untrusted string added to an event handler such as onclick.
For the example below, say that $user_input is untrusted data.
In PHP :
Code: |
$user_input = ''); alert('Running injected JS here'); alert('';
$smarty->assign('user_input', $user_input);
|
In the smarty template:
Code: |
<h1 onclick = "alert('The user entered: <{$user_input|escape:'javascript'}>'); return false;" > Click Me! </h1>
|
Escaping with the javascript option would allow a user to run arbitrary javascript code. Escaping with the html option is not enough either.
So, I added an "htmlevent" option to the escape modifier which is a combination of both (v2):
Code: |
case 'htmlevent':
// in html event handler, first escape javascript, then html
$string = strtr($string, array('\\'=>'\\\\',"'"=>"\\'",'"'=>'\\"',"\r"=>'\\r',"\n"=>'\\n','</'=>'<\/'));
return htmlspecialchars($string, ENT_QUOTES, $char_set);
|
That way if you ever have to use an untrusted string in an event handler, you can escape using the htmlevent option to avoid cross site scripting attacks.
- Doug |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|