-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS vulnerability inside <TextArea> elements (no escaping/htmlentities being done) #12428
Comments
@hi2u How about to use the TextArea as part of HTML editor? The escaping out of box will break such use. At least it's not a minor hotfix. In my opinion you have to escape user's input (for example in the controller's action) but not output. In any case this is an ambiguous question and I need time to think about it. Could you please provide minimal code which could be reproduced to understand its correct use case? |
Sorry, I didn't really understand what you mean here? I've done up a simple example. You can just paste this action code into a controller: public function xsstextareaAction()
{
$Form = new \Phalcon\Forms\Form();
$e = new \Phalcon\Forms\Element\Text('demoTextField');
$e->setDefault('this is automatically made safe <html> "doubles quotes" \'single quotes\' ');
$Form->add($e);
$e = new \Phalcon\Forms\Element\TextArea('demoTextAreaField');
$e->setDefault('this is NOT automatically made safe </textarea> <html> "doubles quotes" \'single quotes\' <script>alert(\'this shouldnt happen\');</script> ');
$Form->add($e);
foreach ($Form as $Element) echo $Element;
} The resulting HTML rendered is: <input type="text" id="demoTextField" name="demoTextField" value="this is automatically made safe <html> "doubles quotes" 'single quotes' " />
<textarea id="demoTextAreaField" name="demoTextAreaField">this is NOT automatically made safe </textarea> <html> "doubles quotes" 'single quotes' <script>alert('this shouldnt happen');</script> </textarea> As you can see, the regular one-line INPUT is converting special characters into HTML entities on output like it should. But the TEXTAREA does not. Everything I've read about XSS recommends doing the escaping on output (not input), because the data in your database could be coming from anywhere, including non-web systems outside of your own control. You can't rely on your source data having already converted all its special characters to HTML entities. As that would cause all sorts of issues. And escaping is context specific, e.g. if the data is getting sent in a plain text email, you don't want it to be pre-polluted with HTML entities. That's how we end up with stuff like this: https://www.instagram.com/p/SVfQruppEE/ :) ... I came across that on this page about XSS input vs output: http://lukeplant.me.uk/blog/posts/why-escape-on-input-is-a-bad-idea/ In either case, TextArea should be consistent with Phalcon's Text/Select/etc elements. But it really should be on output, as Text, Select etc correctly do. If there are some specific reasons that content shouldn't be converted inside TEXTAREA tags, maybe it should just at least check for a Are there any downsides to just sanitizing it using the same method as Text/Select etc? |
Sorry about closing the ticket before, clicked the wrong button. I also just now tested how Phalcon behaves with special characters inside the values of e.g: if my database has an option with value:
\Phalcon\Forms\Element\Select is automatically rendering as: <option value="51">Data with <tag> "quotes" 'quote'</option> So I'm guessing Phalcon is doing it for most other form fields too? Except for TextArea. |
So Yes this is an issue and not at the same time. Some might argue that the framework should filter things automatically (as seen in other This is not a difficult fix. However, if we introduce a fix for this using For the above we decided to release this in 4.0.0, since it can be a breaking change. Thanks @hi2u for reporting this. |
Thanks for the feedback.
A few might, but they definitely seem to be in the minority. Pretty much every XSS guide recommends doing it on output for the reasons I mentioned above and a bunch more. And this is how Phalcon itself does it for all other fields. So whichever opinion you have about input vs output, Phalcon is doing it inconsistently. But yes I agree with what you're saying about breaking changes generally.
There's 4 possible approaches for how current users of Phalcon are handling this right now...
Considering that this is only noticeable if a user specifically enters Not many people would have noticed this inconsistent behaviour, because it's really only ever a serious security issue if two different people are viewing the rendered form containing the malicious code. An example of where this might be an issue is an attacking user entering malicious code into the TextArea, and then an admin user also edits that record in the same form later on. In this case the admin user's browser will execute the attacker's code. I've actually demonstrated this on the forum (see below). It would be interesting to try this out on some other sites that we know are written in Phalcon to see what happens. If anybody reading this could please try the following on your own sites, or any others you know that use Phalcon, we'll see if we can get a few stats on this...
If my guess about most people being in group I just tested it on the Phalcon forum. By entering this into the TextArea of my post...
...then returning to the form by editing my comment, I got it to do this: Also, funnily enough, there's an example of why XSS escaping on input is bad on that forum post itself - go there and hold your mouse over the browser tab, you'll see the title:
Are you guys admins on the forum? Can you edit users posts? If so, go there and edit my post here: https://forum.phalconphp.com/edit/discussion/14891 - when you open the form, you'll be executing the JavaScript code I put in there (it's actually harmless of course). So, so far of my personal (limited) testing of my own sites + the Phalcon forum, they're all in category |
Thank you for contributing to this issue. As it has been 90 days since the last activity, we are automatically closing the issue. This is often because the request was already solved in some way and it just wasn't updated or it's no longer applicable. If that's not the case, please feel free to either reopen this issue or open a new one. We will be more than happy to look at it again! You can read more here: https://blog.phalconphp.com/post/github-closing-old-issues |
@hi2u This has been addressed. Thank you! |
When using Phalcon's Phalcon\Forms\Element\TextArea element, no escaping/htmlentities is done on the value in between the real <textarea> and </textarea> tags. A malicious user simply entering </textarea> into the form allows any following client-side code to be executed when returning to the form.
Example form with malicious user input:
Next time the form is rendered, the malicious code gets executed:
This behaviour is inconsistent with Phalcon\Forms\Element\Text which does safely convert special characters to HTML entities.
I'm using Phalcon 3.0.1 on Ubuntu 16.04 64bit with PHP 7.0.8-0ubuntu0.16.04.3 (standard official Ubuntu repo package at present).
This appears to be where the tag is generated, "content" isn't escaped: https://github.com/phalcon/cphalcon/blob/v3.0.1/phalcon/tag.zep#L963
In the meantime, you can work around this issue by using this extended element class (instead of using Phalcon\Forms\Element\TextArea directly)...
The text was updated successfully, but these errors were encountered: