XSS Vulnerability

[cayman54]

Hi, There is an xss vulnerability when we send message with this bundle : when we enter <script>some script here</script>, the script is executed.

[tgalopin]

Hello @cayman54 and thanks for sharing this!

I'm not able to reproduce the problem. Can you give me a bit more information like in which field did you put the Javascript to trigger the problem and which page are you looking at?

Twig should take care of XSS by escaping displayed data, are you using it with the default templates?

[cayman54]

Hello, You're right I use a custom implementation of templates and controller... I think the problem is in my implementation. When I send the form I do this: $data = $form->getData();

and then: $threadBuilder->setSubject($data['body']);

I think I don't escape XSS doing only this.

[stof]

The issue is most probably in your template. the templates of the bundle are relying on Twig auto-escaping, so they are safe.

[tgalopin]

You should rely on your templating system to secure xss. I close this but thanks :) .

[cayman54]

Thank you, I will check my template.