givanz
commented
5 days ago Hi
Thanks for the bug report, I added escape to input values for crud forms admin/template/crud.tpl#L13 in the last commit https://github.com/givanz/Vvveb/commit/0331f4b1f3f742a8445ce89c8177318aad4925a9
Direct assignment which is usually used in templates will always escape html tags.
input[data-v-user-first_name]|value = $firstname
[data-v-user-*] = $this->user['@@__data-v-user-(*)__@@']Fixed it for app/template/user/profile.tpl#L3
m3m1t1m
Hi! I've been using this CMS for a project and noticed a potential security issue. The profile (and possibly elsewhere) template for a user signing up appears to have the potential to inject arbitrary HTML and JavaScript.
This causes the JavaScript to execute on their own profile but also for any admins viewing the user account in the administration panel. This could lead to someone gaining access to the administration section via the compromised admin who executes the JavaScript.
It looks like the introduction of HTML may have been intentional from this commit 3198de8 but thought I should raise this side effect as an issue as Stored XSS has the potential to be quite a very dangerous vulnerability.
I've managed to stop the execution in the user profile section by using htmlspecialchars() before echo in the profile.tpl file but wasn't sure if this is going to cause issues elsewhere going by the earlier commit.