HTML Tags gets executed on zebra log window

Question

HTML Tags gets executed on zebra log window

09173732546 opened this issue 5 years ago · 3 comments

Hi,

I tried to save this in the database, this gets executed on zebra log window

$message = "<script>alert('hello');</script>";

I used TRIM("' . $db->escape($message) . '") and is saved as <script>alert('hello');</script> and it gets executed as XSS after SELECT query.

I did not escape and is saved as <script>alert('hello');</script> and it gets executed as XSS after SELECT query.

if i will use htmlspecialchars the html will output normally, but still it gets executed as xss on the zebra log window.

i think i have no issues before, but when i downloaded the latest zebra_database and used php7.2 this thing happened.

Answer 1 · 2020-04-11T12:27:51.000Z

I can't reproduce this using any of the methods below:

$message = "<script>alert('hello');</script>";

// everything ok
$db->insert('table', array(
    'column'   =>  $message,
));

// everything ok
$db->query('INSERT INTO table (column) VALUES (?)', array(message));

// everything ok
$db->query('INSERT INTO table (column) VALUES ("' . $db->escape($message) . '")');

Answer 2 · 2020-04-11T14:37:35.000Z

oh, i see what you mean: the error is when SELECTing that inserted row. on it

Answer 3 · 2020-04-11T14:47:18.000Z

should be fixed now. thanks a lot for reporting!