Nasty XSS escaping omission for <title> of Response/HTML

Question

Nasty XSS escaping omission for <title> of Response/HTML

Closed this issue 4 years ago · 0 comments

AnnoyingTechnology commented 4 years ago

Response/HTML automatically build meta tags.
The title of a page is considered by this framework as a meta.
As such it is present in a meta tag, but also as a standalone <title> dom element.

Response\HTML::set([
    'metas'=>[
        'title'=>'<script>alert(1)</script>
    ]
]);

<!doctype html>
<html lang="en">
    <head>
        <!-- properly escaped meta --->
        <meta name="title" content="&lt;script&gt;alert&#x28;1&#x29;&lt;&#x2F;script&gt;" />
        <!-- omitted escaping --->
        <title><script>alert(1)</script></title>
    </head>
<body>

All metas are escaped, but the the standalone title was omitted and isn't escaped.
If non-validated inputs find their way into the page title, then an XSS is possible.
Turns out, it really easy to inject non-validated inputs using a non-existing action in an existing controller.