search

MUlt1mate / cron-manager

A PHP cron task manager for MVC-type applications
MIT License
405 stars 70 forks source link

Possible XSS vulnerability in Codeigniter #23

Open enferas opened 1 year ago

enferas commented 1 year ago

Hello,

I would like to report for possible XSS vulnerability with date_begin and date_end.

In file cron-manager-master\examples\codeigniter\application\controllers\TasksController.php

public function tasksReport()
    {
        $date_begin = isset($_GET['date_begin']) ? $_GET['date_begin'] : date('Y-m-d', strtotime('-6 day'));
        $date_end = isset($_GET['date_end']) ? $_GET['date_end'] : date('Y-m-d');

        $this->load->view('tasks/report', array(
            'report' => Task::getReport($date_begin, $date_end),
            'date_begin' => $date_begin,
            'date_end' => $date_end,
        ));
    }

In file cron-manager-master\examples\codeigniter\application\views\tasks\report.php

    <div class="form-group">
        <label for="date_begin" class="control-label">Date begin</label>
        <input type="date" value="<?= $date_begin ?>" name="date_begin" id="date_begin" class="form-control">
    </div>
    <div class="form-group">
        <label for="date_end" class="control-label">Date end</label>
        <input type="date" value="<?= $date_end ?>" name="date_end" id="date_end" class="form-control">
    </div>
MUlt1mate commented 1 year ago

Hello @enferas. Thanks for reaching out. Sorry about very late response, I was genuinely going to make changes, but I don't have time for this project. The changes in code looks pretty straightforward, but I don't use PHP anymore, so it's more complicated for me to just set up the environment. If you make a PR with changes I'll be happy to merge it.