Encode the html when html is allowed

forkcms · Aug 29, 2021 · f0b4894 · f0b4894
1 parent 60e69d2
commit f0b4894
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 4 deletions.
diff --git a/spoon/form/hidden.php b/spoon/form/hidden.php
@@ -109,7 +109,7 @@ public function isFilled()
 	public function parse($template = null)
 	{
 		// start html generation
-		$output = '<input type="hidden" value="' . SpoonFilter::htmlspecialchars($this->getValue()) . '"';
+		$output = '<input type="hidden" value="' . $this->getValue(false) . '"';
 
 		// build attributes
 		$attributes = array();

diff --git a/spoon/form/text.php b/spoon/form/text.php
@@ -789,7 +789,7 @@ public function parse($template = null)
 
 		// start html generation
 		// note: no need to encode the value here, it gets encoding in the getter as long as $allowHTML=true
-		$output = '<input value="' . $this->getValue() . '"';
+		$output = '<input value="' . $this->getValue(false) . '"';
 
 		// add attributes
 		$output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue())) . ' />';

diff --git a/spoon/form/textarea.php b/spoon/form/textarea.php
@@ -302,7 +302,7 @@ public function parse($template = null)
 		$output = '<textarea';
 
 		// add attributes
-		$output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue()));
+		$output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue(false)));
 
 		// close first tag
 		$output .= '>';

diff --git a/spoon/tests/form/SpoonFormHiddenTest.php b/spoon/tests/form/SpoonFormHiddenTest.php
@@ -64,7 +64,7 @@ public function testParse()
 		// Make sure we encode XSS payloads
 		$_POST['hidden'] = 'But I am le tired\'"()%26%25<yes><ScRiPt%20>alert(1)</ScRiPt>';
 		$this->assertEquals(
-			'<input type="hidden" value="But I am le tired&amp;#039;&amp;quot;()%26%25&amp;lt;yes&amp;gt;&amp;lt;ScRiPt%20&amp;gt;alert(1)&amp;lt;/ScRiPt&amp;gt;" id="hidden" name="hidden" />',
+			'<input type="hidden" value="But I am le tired&#039;&quot;()%26%25&lt;yes&gt;&lt;ScRiPt%20&gt;alert(1)&lt;/ScRiPt&gt;" id="hidden" name="hidden" />',
 			$this->hidHidden->parse()
 		);
 	}

diff --git a/spoon/tests/form/SpoonFormTextTest.php b/spoon/tests/form/SpoonFormTextTest.php
@@ -352,12 +352,33 @@ public function testParse()
 			'<input value="But I am le tired&#039;&quot;()%26%25&lt;yes&gt;&lt;ScRiPt%20&gt;alert(1)&lt;/ScRiPt&gt;" id="name" name="name" type="text" class="inputText" />',
 			$this->txtName->parse()
 		);
+		$_POST['name'] = '"><svg/onload=alert(document.domain)>';
+		$this->assertEquals(
+			'<input value="&quot;&gt;&lt;svg/onload=alert(document.domain)&gt;" id="name" name="name" type="text" class="inputText" />',
+			$this->txtName->parse()
+		);
 
 		// Make sure we do not do double encoding on the ampersand
 		$_POST['name'] = 'Something & something else';
 		$this->assertEquals(
 			'<input value="Something &amp; something else" id="name" name="name" type="text" class="inputText" />',
 			$this->txtName->parse()
 		);
+
+		// now let's try it with HTML allowed
+		$this->txtName = new SpoonFormText('name', 'I am the default value', null, 'inputText', 'inputTextError', true);
+		$this->frm->add($this->txtName);
+
+		$_POST['name'] = '"><svg/onload=alert(document.domain)>';
+		$this->assertEquals(
+			'<input value="&quot;&gt;&lt;svg/onload=alert(document.domain)&gt;" id="name" name="name" type="text" class="inputText" />',
+			$this->txtName->parse()
+		);
+
+		$_POST['name'] = 'Something & something else';
+		$this->assertEquals(
+			'<input value="Something &amp; something else" id="name" name="name" type="text" class="inputText" />',
+			$this->txtName->parse()
+		);
 	}
 }
diff --git a/spoon/tests/form/SpoonFormTextareaTest.php b/spoon/tests/form/SpoonFormTextareaTest.php
@@ -106,4 +106,16 @@ public function testGetValue()
 		$_POST['message'] = array('foo', 'bar');
 		$this->assertEquals('Array', $this->txtMessage->getValue(true));
 	}
+
+	public function testXSS()
+	{
+		$_POST['form'] = 'textarea';
+		$_POST['message'] = '"><svg/onload=alert(document.domain)>';
+		$this->assertEquals(SpoonFilter::htmlspecialchars($_POST['message']), $this->txtMessage->getValue());
+		$this->assertEquals('<textarea id="message" name="message" cols="62" rows="5" class="inputTextarea">&quot;&gt;&lt;svg/onload=alert(document.domain)&gt;</textarea>', $this->txtMessage->parse());
+
+		$this->txtMessage = new SpoonFormTextarea('message', 'I am the default value', 'inputTextarea', 'inputTextareaError', true);
+		$this->frm->add($this->txtMessage);
+		$this->assertEquals('<textarea id="message" name="message" cols="62" rows="5" class="inputTextarea">&quot;&gt;&lt;svg/onload=alert(document.domain)&gt;</textarea>', $this->txtMessage->parse());
+	}
 }