Form.render doesn't escape value attributes on TextFields #1190
Comments
|
I tested in 1.3.0: Phalcon\Tag::setDI(new Phalcon\DI\FactoryDefault());
Phalcon\Tag::setDefaults(array('title' => 'Hello "world!"'));
echo Phalcon\Tag::getValue('title').PHP_EOL;
$form = new Phalcon\Forms\Form();
$form->add(new Phalcon\Forms\Element\Text("title"));
echo $form->render('title'); |
|
confirm $object = new stdClass();
$object->title = 'Hello "world!"';
$form = new Phalcon\Forms\Form($object);
$form->add(new Phalcon\Forms\Element\Text("title"));
echo $form->render('title');result: <input type="text" value="Hello "world!"" name="title" id="title"> |
|
Indeed, only by Tag :: getValue values obtained will auto escape. |
|
@phalcon please, fix this bug ASAP, this is a serious security risk |
diff --git a/ext/tag.c b/ext/tag.c
index 7de8067..86a225b 100644
--- a/ext/tag.c
+++ b/ext/tag.c
@@ -534,7 +534,7 @@ PHP_METHOD(Phalcon_Tag, linkTo){
PHP_METHOD(Phalcon_Tag, _inputField){
zval *type, *parameters, *as_value = NULL, *params = NULL, *value = NULL;
- zval *id = NULL, *name, *code, *key = NULL, *doctype;
+ zval *id = NULL, *name, *code, *key = NULL, *doctype, *escaped;
HashTable *ah0;
HashPosition hp0;
zval **hd;
@@ -608,6 +608,8 @@ PHP_METHOD(Phalcon_Tag, _inputField){
PHALCON_INIT_VAR(code);
PHALCON_CONCAT_SVS(code, "<input type=\"", type, "\"");
+ PHALCON_INIT_VAR(escaped);
+
phalcon_is_iterable(params, &ah0, &hp0, 0, 0);
while (zend_hash_get_current_data_ex(ah0, (void**) &hd, &hp0) == SUCCESS) {
@@ -616,7 +618,10 @@ PHP_METHOD(Phalcon_Tag, _inputField){
PHALCON_GET_HVALUE(value);
if (Z_TYPE_P(key) != IS_LONG) {
- PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", value, "\"");
+ phalcon_htmlspecialchars(escaped, value, NULL, NULL TSRMLS_CC);
+ PHALCON_SCONCAT_SVSVS(code, " ", key, "=\"", escaped, "\"");
+ zval_dtor(escaped);
+ ZVAL_NULL(escaped);
}
zend_hash_move_forward_ex(ah0, &hp0); |
ghost
mentioned this issue
|
This was fixed by @sjinks in the 1.3.0 branch |
|
Any plans to get the fix onto 1.2.4? |
|
The patch is ready to be used in 1.3.0, this version must work well since it contains mostly bug fixes |
|
@CoDanny you can run something like git checkout 1.2.3
git cherry-pick -x e3d5a5264c16c2c42102d92d419d7d3f35f381f1and recompile Phalcon. |
|
I've used 1.3.0 branch, but it still failed showing correct value. I used @tema87 code example. |
|
Please build Phalcon from ext/, not from build/ |
|
@sjinks It didn't work either. I ended with Tag::setDefault solution. |
|
@jimmycdinata There is a file, ext/tests/issue-1190.phpt: --TEST--
Form.render doesn't escape value attributes on TextFields - https://github.com/phalcon/cphalcon/issues/1190
--SKIPIF--
<?php include('skipif.inc'); ?>
--FILE--
<?php
new \Phalcon\DI\FactoryDefault();
$object = new stdClass();
$object->title = 'Hello "world!"';
$form = new \Phalcon\Forms\Form($object);
$form->add(new \Phalcon\Forms\Element\Text("title"));
echo $form->render('title'), PHP_EOL;
?>
--EXPECT--
<input value="Hello "world!"" name="title" id="title" type="text" />If you run it, ? If not, what does it display? |
I'm using \Forms\Form::Render('name') where 'name' is of type \Element\Text and its value contains double quotes.
The input field element gets rendered, but it's 'value' attribute contains the double quotes without escaping thus breaking the page.
I have tested in 1.2.0 and today in 1.2.3
As a workaround, if I set Tag::Defaults in the controller (see below), the rendering works as expected.
Tag::setDefaults(array(
'name' => $profile->name,
'about' => $profile->about,
'username' => $profile->username
));
It seems to me though that one shouldn't have to do this as the values are already known to the form.
The text was updated successfully, but these errors were encountered: