Skip to content

Commit

Permalink
Merge pull request #83 from carakas/master
Browse files Browse the repository at this point in the history
Textareas and input type text xss fix when allowHTML option is set to true
  • Loading branch information
carakas authored Aug 30, 2021
2 parents 60e69d2 + f0b4894 commit 576e572
Show file tree
Hide file tree
Showing 6 changed files with 37 additions and 4 deletions.
2 changes: 1 addition & 1 deletion spoon/form/hidden.php
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ public function isFilled()
public function parse($template = null)
{
// start html generation
$output = '<input type="hidden" value="' . SpoonFilter::htmlspecialchars($this->getValue()) . '"';
$output = '<input type="hidden" value="' . $this->getValue(false) . '"';

// build attributes
$attributes = array();
Expand Down
2 changes: 1 addition & 1 deletion spoon/form/text.php
Original file line number Diff line number Diff line change
Expand Up @@ -789,7 +789,7 @@ public function parse($template = null)

// start html generation
// note: no need to encode the value here, it gets encoding in the getter as long as $allowHTML=true
$output = '<input value="' . $this->getValue() . '"';
$output = '<input value="' . $this->getValue(false) . '"';

// add attributes
$output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue())) . ' />';
Expand Down
2 changes: 1 addition & 1 deletion spoon/form/textarea.php
Original file line number Diff line number Diff line change
Expand Up @@ -302,7 +302,7 @@ public function parse($template = null)
$output = '<textarea';

// add attributes
$output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue()));
$output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue(false)));

// close first tag
$output .= '>';
Expand Down
2 changes: 1 addition & 1 deletion spoon/tests/form/SpoonFormHiddenTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ public function testParse()
// Make sure we encode XSS payloads
$_POST['hidden'] = 'But I am le tired\'"()%26%25<yes><ScRiPt%20>alert(1)</ScRiPt>';
$this->assertEquals(
'<input type="hidden" value="But I am le tired&amp;#039;&amp;quot;()%26%25&amp;lt;yes&amp;gt;&amp;lt;ScRiPt%20&amp;gt;alert(1)&amp;lt;/ScRiPt&amp;gt;" id="hidden" name="hidden" />',
'<input type="hidden" value="But I am le tired&#039;&quot;()%26%25&lt;yes&gt;&lt;ScRiPt%20&gt;alert(1)&lt;/ScRiPt&gt;" id="hidden" name="hidden" />',
$this->hidHidden->parse()
);
}
Expand Down
21 changes: 21 additions & 0 deletions spoon/tests/form/SpoonFormTextTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -352,12 +352,33 @@ public function testParse()
'<input value="But I am le tired&#039;&quot;()%26%25&lt;yes&gt;&lt;ScRiPt%20&gt;alert(1)&lt;/ScRiPt&gt;" id="name" name="name" type="text" class="inputText" />',
$this->txtName->parse()
);
$_POST['name'] = '"><svg/onload=alert(document.domain)>';
$this->assertEquals(
'<input value="&quot;&gt;&lt;svg/onload=alert(document.domain)&gt;" id="name" name="name" type="text" class="inputText" />',
$this->txtName->parse()
);

// Make sure we do not do double encoding on the ampersand
$_POST['name'] = 'Something & something else';
$this->assertEquals(
'<input value="Something &amp; something else" id="name" name="name" type="text" class="inputText" />',
$this->txtName->parse()
);

// now let's try it with HTML allowed
$this->txtName = new SpoonFormText('name', 'I am the default value', null, 'inputText', 'inputTextError', true);
$this->frm->add($this->txtName);

$_POST['name'] = '"><svg/onload=alert(document.domain)>';
$this->assertEquals(
'<input value="&quot;&gt;&lt;svg/onload=alert(document.domain)&gt;" id="name" name="name" type="text" class="inputText" />',
$this->txtName->parse()
);

$_POST['name'] = 'Something & something else';
$this->assertEquals(
'<input value="Something &amp; something else" id="name" name="name" type="text" class="inputText" />',
$this->txtName->parse()
);
}
}
12 changes: 12 additions & 0 deletions spoon/tests/form/SpoonFormTextareaTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -106,4 +106,16 @@ public function testGetValue()
$_POST['message'] = array('foo', 'bar');
$this->assertEquals('Array', $this->txtMessage->getValue(true));
}

public function testXSS()
{
$_POST['form'] = 'textarea';
$_POST['message'] = '"><svg/onload=alert(document.domain)>';
$this->assertEquals(SpoonFilter::htmlspecialchars($_POST['message']), $this->txtMessage->getValue());
$this->assertEquals('<textarea id="message" name="message" cols="62" rows="5" class="inputTextarea">&quot;&gt;&lt;svg/onload=alert(document.domain)&gt;</textarea>', $this->txtMessage->parse());

$this->txtMessage = new SpoonFormTextarea('message', 'I am the default value', 'inputTextarea', 'inputTextareaError', true);
$this->frm->add($this->txtMessage);
$this->assertEquals('<textarea id="message" name="message" cols="62" rows="5" class="inputTextarea">&quot;&gt;&lt;svg/onload=alert(document.domain)&gt;</textarea>', $this->txtMessage->parse());
}
}

0 comments on commit 576e572

Please sign in to comment.