Closed neoighodaro closed 1 year ago
For anyone who wants a quick fix (I don't think it's comprehensive but since this is the entry point to blade, we fix the custom blade seo
directive):
dont-discover
so the service provider is not loadedapp.php
boot
method as seen below, the only change is the addition of the e helper to seo()->get()
public function boot(): void
{
// ...
BladeHelper::directive('seo', function (...$args) {
// ...
return e(seo()->get($args[0]));
});
}
Thank you for reporting this. I've fixed the issue here https://github.com/archtechx/laravel-seo/commit/f6d85e3dfef57f54931a3f3b427f8b1d93deef4e and will make a release shortly.
I've approached the fix in a similar way (see the SEOManager
diff in the linked commit). Main difference is that we don't wrap EVERY output in e()
, only get()
and set()
calls. Also the @seo
directive calls render()
, not get()
.
Reason for not sanitizing every output of render()
is that URLs may come from it (currently only when using flipp
or previewify
calls) and those shouldn't be escaped. All other values get wrapped in e()
and that fixes any potential XSS issues, yeah.
Thanks!
It may appear (may be wrong) that the package is vulnerable to XSS as it does not properly sanitize the input. Example:
Completely breaks the description and seems to push the meta directly into the
body
of the page. Potentially dangerous. Let me know if you need help reproducing it.