Cross Site Scripting - Reflected

[ghost]

There is a XSS vulnerability without need for any authentication at all. It seems to be also present in the newest versions.

To reproduce: 1)If you created sample users such as "Avis", "Clark", "Raphael", etc , click on their photos on the home page. 2)The endpoint "/signup/" has parameters that are vulnerable to Cross Site Scripting. Here is an example: http://example.com/pH7-Social-Dating-CMS/signup/?ref=main&a=index&u=chaya-ward&f_n=Avis">

I hope it will be fixed because I really like this project. It should not be too difficult to sanitize those parameters.

[Undefined-Variables]

@pH-7 im also having problems trying to get this to throw the error again, perfect install every time. There is a way to mess the install up and you get a yellow error box with a Smarty error.

What was the reason you decided to create your own template system? I like pH7Tpl and its simpler than Smarty but do wonder what the reason for designing and creating your own template engine was, this was clearly a lot of extra work...

[polynamaude]

@Undefined-Variables Hi ! I could answer for him... It wasn't that much work. The nice thing with object based and design pattern is that you can reuse what you develop in different settings. And honestly, writing such a templating system is a week or two, at most, when you do the correct planing from the beginning.

It's nothing more than a huge "Regular Expression" parser...

Nice reflection... sorry trying to joke around with "Reflected" ;-)

[Undefined-Variables]

I see what you are saying... By putting the effort in at the beginning with careful plaining of course the job only needs doing once and from then on it will benefit you, improve workflow and make life easier too!

[pH-7]

@pH-7 im also having problems trying to get this to throw the error again, perfect install every time. There is a way to mess the install up and you get a yellow error box with a Smarty error.

Thanks very much. Okay, so that's good news if we cannot reproduce that Smarty error anymore. I will then go ahead releasing v16 🎉

[pH-7]

What was the reason you decided to create your own template system? I like pH7Tpl and its simpler than Smarty but do wonder what the reason for designing and creating your own template engine was, this was clearly a lot of extra work...

@Undefined-Variables Great question!! Indeed, we shouldn't reinvent the wheel. I could just use Twig or Smarty. However, at that time (10 years ago when the first pH7Tpl came up), I was really focus deeply in lexical and syntactic parsers and analyzers, and I just also wanted to build a template language for my framework. It was more a personal challenge :) FInally, most of the template languages out there (except Smarty) were just an interpreter, and not a lot of them compiled the template language into PHP code,and optimized and stored them as cached files.

The goal with pH7Tpl was to build a really fast and lightweight template language, that can stores all compiled files as long as the source tpl files aren't modified, and with the least regular expressions (since it slows the performance and ugly)

[pH-7]

@Undefined-Variables Hi ! I could answer for him... It wasn't that much work. The nice thing with object based and design pattern is that you can reuse what you develop in different settings. And honestly, writing such a templating system is a week or two, at most, when you do the correct planing from the beginning.

It's nothing more than a huge "Regular Expression" parser...

Nice reflection... sorry trying to joke around with "Reflected" ;-)

@polynamaude I wouldn't really agree with it... Yes, it can take two weeks to ship the first version, but it doesn't mean it's always easy, depending on how fancy and how many features you want in your language.

If you want to build a very simple one, yes of course that's possible. However, if you want to create a production template language, it takes much more time.

First of all, you have to design the template language. pH7Tpl has also involved a lot, and the syntax is now smoother than before. If you want to make sure that it behaves as expected, unit tests are inevitable. For example, just for pH7Tpl tests, I think it took me two days or so to accomplish all of them (there are many files) https://github.com/pH7Software/pH7-Social-Dating-CMS/tree/master/_tests/Unit/Framework/Layout/Tpl/Engine/PH7Tpl

It's not as simple as it looks like, although a very simple template language can be made in 2 hours.

[pH-7]

This is really out of topic, but since we are speaking about programming languages and parsing, my favorite book of all time was the Dragon compilation book https://www.amazon.co.uk/Compilers-Alfred-V-Aho/dp/0321486811

[pH-7]

Oh, the book has also a Wikipedia page :) https://en.wikipedia.org/wiki/Compilers:_Principles,_Techniques,_and_Tools

[Undefined-Variables]

@Undefined-Variables Hi ! I could answer for him... It wasn't that much work. The nice thing with object based and design pattern is that you can reuse what you develop in different settings. And honestly, writing such a templating system is a week or two, at most, when you do the correct planing from the beginning. It's nothing more than a huge "Regular Expression" parser... Nice reflection... sorry trying to joke around with "Reflected" ;-)

@polynamaude I wouldn't really agree with it... Yes, it can take two weeks to ship the first version, but it doesn't mean it's always easy, depending on how fancy and how many features you want in your language.

If you want to build a very simple one, yes of course that's possible. However, if you want to create a production template language, it takes much more time.

First of all, you have to design the template language. pH7Tpl has also involved a lot, and the syntax is now smoother than before. If you want to make sure that it behaves as expected, unit tests are inevitable. For example, just for pH7Tpl tests, I think it took me two days or so to accomplish all of them (there are many files) https://github.com/pH7Software/pH7-Social-Dating-CMS/tree/master/_tests/Unit/Framework/Layout/Tpl/Engine/PH7Tpl

It's not as simple as it looks like, although a very simple template language can be made in 2 hours.

Yeah I have had a good look at the code and can see it is not something thrown together quickly. Thanks for explaining, I found your reasons interesting :)

[github-actions[bot]]

Hi there, I locked the thread since there has not been any recent activity after it was closed. Please open a new issue for related bugs. Thank you, Pierre-Henry Soria 🤖