Phalcon's Phalcon\Forms\Element\Select element is not escaping the values between the tags. This allows malicious user to break the html code and execute javascript code.
This is very similar to the closed issue #12428 and brings similar backward compatibility problems (double escaping for users who escape it before injecting data to the form). But it clearly can generate invalid html code as demonstrated below and should be escaped by default. Anyone using this element has to do it anyway.
To Reproduce
$form = new \Phalcon\Forms\Form();
$data = [
1 => 'entry with malicious javascript <script>alert("I could do some dirty job instead");</script>',
2 => 'entry with malicious html </option></select>This appears outside the select box',
];
$select = new \Phalcon\Forms\Element\Select('selector', $data);
$form->add($select);
foreach ($form as $element) {
echo $element;
}
This is the rendered result:
<select id="selector" name="selector">
<option value="1">entry with malicious javascript <script>alert("I could do some dirty job instead");</script></option>
<option value="2">entry with malicious html </option></select>This appears outside the select box</option>
</select>
Expected behavior
Currently, the workaround fix is to escape the data manually
$form = new \Phalcon\Forms\Form();
$escaper = new \Phalcon\Html\Escaper;
$data = [
1 => $escaper->escapeHtml('entry with malicious javascript <script>alert("I could do some dirty job instead");</script>'),
2 => $escaper->escapeHtml('entry with malicious html </option></select>This appears outside the select box'),
];
$select = new \Phalcon\Forms\Element\Select('selector', $data);
$form->add($select);
foreach ($form as $element) {
echo $element;
}
with rendered html code
<select id="selector" name="selector">
<option value="1">entry with malicious javascript <script>alert("I could do some dirty job instead");</script></option>
<option value="2">entry with malicious html </option></select>This appears outside the select box</option>
</select>
Details
Phalcon version: 5.7.0
PHP Version: 8.1.29
Operating System: Rocky Linux 9
Installation type: installing via package manager
Zephir version 0.18.0:
Server: Apache
I know there is newer phalcon and newer PHP but the problem will be he same as it was not reported yet.
Phalcon's Phalcon\Forms\Element\Select element is not escaping the values between the tags. This allows malicious user to break the html code and execute javascript code.
This is very similar to the closed issue #12428 and brings similar backward compatibility problems (double escaping for users who escape it before injecting data to the form). But it clearly can generate invalid html code as demonstrated below and should be escaped by default. Anyone using this element has to do it anyway.
To Reproduce
This is the rendered result:
Expected behavior Currently, the workaround fix is to escape the data manually
with rendered html code
Details
I know there is newer phalcon and newer PHP but the problem will be he same as it was not reported yet.