-
Notifications
You must be signed in to change notification settings - Fork 93
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
The current approach to sanitize HTML tag attributes by TagBuilder can be improved to only allow certain characters. As TagBuilder is a low-level API to create arbitrary HTML tags, the goal is not to prevent any JavaScript from being executed because this might be a desired behavior in some use cases. We would like to prevent the following: ```php $unsafeInput = "onclick='alert(1)'"; $tagBuilder->addAttribute($unsafeInput, 'some value'); ``` While still allowing the following: ```php $tagBuilder->addAttribute('onclick', 'doSomething()'); ``` Thus, this patch applies a strict allow-list to argument names and throws an exception if any other characters are used. The characters are limited to ASCII characters except for select characters that are problematic in HTML attributes, such as single and double quotes, equal signs, less/greater than, forward slashes, ampersants and white space. Developers are advised to be very careful when using user input as attribute names as this change cannot prevent all accidential and thus potentially malicious JavaScript execution. Thanks to @GatekeeperBuster for making us aware of this.
- Loading branch information
Showing
3 changed files
with
70 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters