liayn
commented
1 month ago Thanks for the work done here. My take on this: We cannot cover all cases properly. Attributes are the responsibility of the integrator. The warning about being careful about attributes created from user-input should be places somewhere really well visible.
Code-wise I would not try to validate anything, otherwise more reports will pop-up like "nice, but you do not cover XYZ". That's not going to help us. I'd stick with the motto "Do it right or not at all." in this case.
s2b
The current approach to sanitize HTML tag attributes by TagBuilder can be improved to only allow certain characters. As TagBuilder is a low-level API to create arbitrary HTML tags, the goal is not to prevent any JavaScript from being executed because this might be a desired behavior in some use cases.
We would like to prevent the following:
While still allowing the following:
Thus, this patch applies a strict allow-list to argument names and throws an exception if any other characters are used. The characters are limited to ASCII characters except for select characters that are problematic in HTML attributes, such as single and double quotes, equal signs, less/greater than, forward slashes, ampersants and white space.
Developers are advised to be very careful when using user input as attribute names as this change cannot prevent all accidential and thus potentially malicious JavaScript execution.
This will be downported to Fluid 2.15.
Thanks to @GatekeeperBuster for making us aware of this.
Resolves: #936