Encode checkbox value to prevent XSS attack - Githubissues

formers / former

A powerful form builder, for Laravel and other frameworks (stand-alone too)

https://formers.github.io/former/

1.34k stars 204 forks source link

Encode checkbox value to prevent XSS attack #584

Closed carlosvini closed 5 years ago

carlosvini commented 5 years ago

Hi,

The default behavior of Former is to use $_GET variables to populate the form fields, If I understood correctly.

This makes a XSS attack possible because checkbox are not escaping their values.

A similar fix was made here in 2014 for hidden inputs: https://github.com/formers/former/commit/58596440993dd09e77724e24afdbb229e227946b

I had a hard time trying to use the right version for the tests, since there's no composer.lock, but when I got it right all tests passed.

Steps to reproduce:

Create new Laravel app
Install Former through Composer
Add code to welcome.blade.php: {!! Former::checkbox('test') !!}
run php artisan serve

Open URL:

http://127.0.0.1:8000/?test="><h1><i>some HTML here</i></h1>

Expected behavior:

Value would be escaped/encoded, no HTML would be rendered

What happens:

HTML is displayed (XSS attack)

carlosvini commented 5 years ago

It seems passing the checkbox name on the $_GET as array is also a problem, i.e. ?name[]=X instead of only ?name=X

Like: http://127.0.0.1:8000/?test[]="><h1><i>some HTML here</i></h1>

But this time the label tag has unescaped HTML. The previous mentioned problem had HTML inside the attribute value of the input tag.

I will see if I find time to make a pull request for this one too.