xss

[MatthiasHertel]

laravel-blog-tutorial/resources/views/blog/single.blade.php

@extends('main')

@section('title', "| $post->title")

@section('content')

    <div class="row">
        <div class="col-md-8 col-md-offset-2">
            <h1>{{ $post->title }}</h1>
            <p>{{ $post->body }}</p>
            <hr>
            <p>Posted In: {{ $post->category->name }}</p>
        </div>
    </div>

@endsection

line 3 $post->title is not escaped ... and vulnerable for xss ?

[jacurtis]

Double curly braces will escape HTML so anything with double curly brace blade will be escaped and therefore safe.

Also as long as you sanitize it before adding it to the DB it would also be safe.

You're good here :)

hey jacurtis : Will you teach deployment to production environment
::changing from public to domain base url
::setup on a live server

On 3 Jul 2016 23:08, "J. Alexander Curtis" notifications@github.com wrote:

Double curly braces will escape HTML so anything with double curly brace
blade will be escaped and therefore safe.

Also as long as you sanitize it before adding it to the DB it would also
be safe.

You're good here :)

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#1 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AKzuK5jSpQr7MrrTg3It8aHTFe_HumGsks5qSBbEgaJpZM4JD7em
.

[MatthiasHertel]

@jacurtis
first of all - i forked your repo and made pull req for a fixing route .. there is another issue

appendix the xss issue - try this string in the title of a post:

</title><script>alert('hi')</script>

then go to:
blog/single.blade.php

there is no sanitize ... the injected string is in the db .. and the in line 3 there is no escape for the string in the title ..

[jacurtis]

Interesting... i just checked again and double curly braces is supposed to escape html data. I am not sure what is happening here.

I know there is no sanitize, but that is because I was under the impression that all {{...}} was escaped.

[MatthiasHertel]

I know there is no sanitize, but that is because I was under the impression that all {{...}} was escaped.

but in line 3 are no curly braces ...

[jacurtis]

Gosh I am now just seeing the problem. Haha i was looking at the wrong post->title and I just now noticed it. I was so confused before, haha. Ok so what I am doing is making a list of "Known Bugs" on the readme page for this repo. Then will accept all merge requests for bug fixes at the end of the series (so I don't mess up other people's code). So I am adding this to the list of known bugs on the readme. If you have any others, open up another issue and I will add those as well.

[MatthiasHertel]

haha ... no problem - yeah an after-all-merge is the best way to prevent confusing the crowd

[jacurtis]

This security error was fixed in part 41 of the series. Viewable on YouTube at around the 20m mark.

[AlexanderPih]

I did it this way:
@section('title', '| '.htmlentities($post->title) )

[jacurtis]

That is interesting. I will give that a try. When I tried to add PHP inline
it didn't seem to work. Looks like I need to test :)

On Sun, Jul 24, 2016 at 11:44 AM, LSRWyvern notifications@github.com
wrote:

I did it this way:
@section('title', '| '.htmlentities($post->title) )

—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
#1 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAgy8Yua8gPcFjZcZ7FXQY6oavUkSvw2ks5qY6SagaJpZM4JD7em
.

[deviddev]

Maybe the simpliest way:
@section('title') | {{ $post->title }}@endsection

[the94air]

I prefer this

@section('title','| '.htmlspecialchars($post->title, ENT_QUOTES, 'UTF-8'))

[the94air]

Also the same problem in the tag tags.show view