Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Phalcon\Tag::getTitle should escape content #11185

Closed
kristofferingemansson opened this issue Dec 2, 2015 · 1 comment
Closed

Phalcon\Tag::getTitle should escape content #11185

kristofferingemansson opened this issue Dec 2, 2015 · 1 comment
Labels
bug A bug report status: medium Medium

Comments

@kristofferingemansson
Copy link
Contributor

Title generation with Phalcon\Tag is subject to XSS when used with user generated content.
Automatic escaping needs to be added.

$maliciousContent = "</title><script>alert('Got your nose!');</script><title>";
$tag = \Phalcon\Di::getDefault()->getShared('tag');
$tag->prependTitle("Hello $maliciousContent!");
print $tag->getTitle();

Actual:

<title>Hello </title><script>alert('Got your nose!');</script><title>!</title>

Expected:

<title>Hello &lt;/title>&lt;script>alert('Got your nose!');&lt;/script>&lt;title>!</title>

Phalcon 2.0.8 WIN32, running on PHP 5.5.24 CLI, Windows 7 Pro x64

@sergeyklay
Copy link
Contributor

Thanks. Fixed in 2.0.x branch.

@niden niden added bug A bug report status: medium Medium and removed Bug - Medium labels Dec 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug A bug report status: medium Medium
Projects
None yet
Development

No branches or pull requests

4 participants