XSS with {get:your_key}

Question

XSS with {get:your_key}

Closed this issue 8 years ago · 2 comments

EE: 2.10.1
Mo Variables: 2.1.1

XSS: /events/?keywords=509"src="http://www.example.com/exploit509.js"/><<<<<<h1>XSS</h1><img src="https://media.glassdoor.com/sqll/255170/securitymetrics-squarelogo-1428593452923.png">

Using a input field in a form, the value parameter is set to {get:keywords}. The XSS will write after the input field a H1 and IMG tag visible. XSS below will disable input field.

XSS: /events/?keywords=509"disabled=disabled

EllisLab Response: For that, CodeIgniter has methods like form_prep() designed to prevent a stray quote from breaking out of the value attribute. I'd advise the developer of the add-on to use that, and/or maybe also to generally run the output through something like htmlentites() for general output outside of forms to prevent things like arbitrary HTML from rendering.

FYI, I reached out to you on Twitter if we could speak in private about this matter, so I can give you the address of my site where this is found...

Answer 1 · 2016-12-23T19:11:10.000Z

Do you want to take a swing at patching this with a pull request? I don't think I'll have any time soon to look into it.

Answer 2 · 2016-12-23T23:11:48.000Z

Same, its Christmas and a lot is going on. If I have the chance to get to it, I will submit a pull request to help. Thanks!