XSS in canonical tag.
vdvcoder opened this issue · 2 comments
What steps will reproduce the problem?
-
Setting the canonical config to null (using Url::current())
-
Capture a post request with burpsuite.
-
Send the post request to repeator.
-
Change the POST URI to:
POST /<redacted>/<redacted>/<redacted>/<redacted>/deelnemen'"><svg/onload=alert()> -
Send the request.
What is the expected result?
<link rel="canonical" href="https://<redacted>.<redacted>/<redacted>/<redacted>/<redacted>/<redacted>/deelnemen'"><svg/onload=alert()>"/>
What do you get instead?
<link rel="canonical" href="https://<redacted>.<redacted>/<redacted>/<redacted>/<redacted>/<redacted>/deelnemen'"><svg/onload=alert()>"/>
Payload triggers.
Additional info
How to solve:
vendor/artesaos/seotools/src/SEOTools/SEOMeta.php
Line: 475
return $this->canonical ?: (($canonical_config === null) ? app('url')->full() : $canonical_config);
Change into:
return $this->canonical ?: (($canonical_config === null) ? htmlspecialchars(app('url')->current()) : $canonical_config);
NOTE: Also look for other places where you call ap('url')->current() to sanitize the input.
| Q | A |
|---|---|
| This Package Version | 0.19.1 |
| Laravel Framework Version | 8.32.1 |
| PHP version | 7.4 |
| Operating system | Mac OS Big Sur |
i use seotools for Laravel but not ideal performance :(
i use seotools for Laravel but not ideal performance :(
This has nothing to do with XSS. It would be good to review your own code if you're having bad performance.
If there is any specific issue your having with the package, feel free to open an issue.