-
Notifications
You must be signed in to change notification settings - Fork 174
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Escape LorisForm
value in HTML
#9419
Open
maximemulder
wants to merge
1
commit into
aces:main
Choose a base branch
from
maximemulder:2024-10-23_fix-lorisform-escape
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Escape LorisForm
value in HTML
#9419
maximemulder
wants to merge
1
commit into
aces:main
from
maximemulder:2024-10-23_fix-lorisform-escape
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maximemulder
added
the
Security
PR patches a vulnerability, makes resource access changes, or updates dependencies
label
Oct 23, 2024
maximemulder
force-pushed
the
2024-10-23_fix-lorisform-escape
branch
from
October 23, 2024 21:14
c34f467
to
d2f7d73
Compare
PHP Fatal error: Uncaught TypeError: htmlspecialchars(): Argument #1 ($string) must be of type string, null given in /var/www/Loris/php/libraries/LorisForm.class.inc:949\nStack trace:\n#0 /var/www/Loris/php/libraries/LorisForm.class.inc(949): htmlspecialchars()\n#1 /var/www/Loris/php/libraries/LorisForm.class.inc(1526): LorisForm->textHTML()\n#2 /var/www/Loris/php/libraries/LorisForm.class.inc(1689): LorisForm->renderElement()\n#3 /var/www/Loris/php/libraries/NDB_Page.class.inc(789): LorisForm->toArray()\n#4 /var/www/Loris/php/libraries/NDB_Form.class.inc(139): NDB_Page->display()\n#5 /var/www/Loris/src/Middleware/UserPageDecorationMiddleware.php(248): NDB_Form->handle()\n#6 /var/www/Loris/src/Middleware/PageDecorationMiddleware.php(59): LORIS\\Middleware\\UserPageDecorationMiddleware->process()\n#7 /var/www/Loris/php/libraries/NDB_Page.class.inc(726): LORIS\\Middleware\\PageDecorationMiddleware->process()\n#8 /var/www/Loris/php/libraries/Module.class.inc(322): NDB_Page->process()\n#9 /var/www/Loris/src/Middleware/ResponseGenerator.php(51): Module->handle()\n#10 /var/www/Loris/src/Middleware/AuthMiddleware.php(64): LORIS\\Middleware\\ResponseGenerator->process()\n#11 /var/www/Loris/src/Router/ModuleRouter.php(75): LORIS\\Middleware\\AuthMiddleware->process()\n#12 /var/www/Loris/src/Middleware/ExceptionHandlingMiddleware.php(55): LORIS\\Router\\ModuleRouter->handle()\n#13 /var/www/Loris/src/Router/BaseRouter.php(138): LORIS\\Middleware\\ExceptionHandlingMiddleware->process()\n#14 /var/www/Loris/src/Middleware/ResponseGenerator.php(51): LORIS\\Router\\BaseRouter->handle()\n#15 /var/www/Loris/src/Middleware/ContentLength.php(53): LORIS\\Middleware\\ResponseGenerator->process()\n#16 /var/www/Loris/htdocs/index.php(74): LORIS\\Middleware\\ContentLength->process()\n#17 {main}\n thrown in /var/www/Loris/php/libraries/LorisForm.class.inc on line 949 |
Yeah, yeah, I saw the CI errors, haven't had time to tackle them yet no need to remind me 😅 (although I probably should have set the PR as a draft until the errors are resolved, my mistake on that). |
maximemulder
force-pushed
the
2024-10-23_fix-lorisform-escape
branch
from
October 24, 2024 19:26
d2f7d73
to
27cfe3b
Compare
just adding this for history #6223 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
LorisForm
class contains an XSS vulnerability as it can paste data from the GET parameters directly into the HTML.The
getValue
function reads the GET parameters, but it is also used by code unrelated to the HTML, therefore the escape should be done at the call site, not in the function directly. There may be a risk of double escape asgetValue
can get its value from other sources.Having now looked a the code, I agree that we should get rid of
LorisForm
, building HTML as strings directly (and with so many layers of indirection) is a practice that is 15~20 years old (LORIS is that old so that makes sense !) and unmaintainable IMO.Testing: Not tested (which page should I try ?).