diff --git a/spoon/form/hidden.php b/spoon/form/hidden.php index d92ea79..838d5db 100644 --- a/spoon/form/hidden.php +++ b/spoon/form/hidden.php @@ -109,7 +109,7 @@ public function isFilled() public function parse($template = null) { // start html generation - $output = 'getValue(false) . '"'; // build attributes $attributes = array(); diff --git a/spoon/form/text.php b/spoon/form/text.php index 558cba5..1dfcb60 100644 --- a/spoon/form/text.php +++ b/spoon/form/text.php @@ -789,7 +789,7 @@ public function parse($template = null) // start html generation // note: no need to encode the value here, it gets encoding in the getter as long as $allowHTML=true - $output = 'getValue(false) . '"'; // add attributes $output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue())) . ' />'; diff --git a/spoon/form/textarea.php b/spoon/form/textarea.php index b3e6eb0..c38c1c2 100644 --- a/spoon/form/textarea.php +++ b/spoon/form/textarea.php @@ -302,7 +302,7 @@ public function parse($template = null) $output = 'getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue())); + $output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue(false))); // close first tag $output .= '>'; diff --git a/spoon/tests/form/SpoonFormHiddenTest.php b/spoon/tests/form/SpoonFormHiddenTest.php index 9848b52..ab714da 100644 --- a/spoon/tests/form/SpoonFormHiddenTest.php +++ b/spoon/tests/form/SpoonFormHiddenTest.php @@ -64,7 +64,7 @@ public function testParse() // Make sure we encode XSS payloads $_POST['hidden'] = 'But I am le tired\'"()%26%25alert(1)'; $this->assertEquals( - '', + '', $this->hidHidden->parse() ); } diff --git a/spoon/tests/form/SpoonFormTextTest.php b/spoon/tests/form/SpoonFormTextTest.php index d034d5f..978bc69 100644 --- a/spoon/tests/form/SpoonFormTextTest.php +++ b/spoon/tests/form/SpoonFormTextTest.php @@ -352,6 +352,11 @@ public function testParse() '', $this->txtName->parse() ); + $_POST['name'] = '">'; + $this->assertEquals( + '', + $this->txtName->parse() + ); // Make sure we do not do double encoding on the ampersand $_POST['name'] = 'Something & something else'; @@ -359,5 +364,21 @@ public function testParse() '', $this->txtName->parse() ); + + // now let's try it with HTML allowed + $this->txtName = new SpoonFormText('name', 'I am the default value', null, 'inputText', 'inputTextError', true); + $this->frm->add($this->txtName); + + $_POST['name'] = '">'; + $this->assertEquals( + '', + $this->txtName->parse() + ); + + $_POST['name'] = 'Something & something else'; + $this->assertEquals( + '', + $this->txtName->parse() + ); } } diff --git a/spoon/tests/form/SpoonFormTextareaTest.php b/spoon/tests/form/SpoonFormTextareaTest.php index e152e43..f441608 100644 --- a/spoon/tests/form/SpoonFormTextareaTest.php +++ b/spoon/tests/form/SpoonFormTextareaTest.php @@ -106,4 +106,16 @@ public function testGetValue() $_POST['message'] = array('foo', 'bar'); $this->assertEquals('Array', $this->txtMessage->getValue(true)); } + + public function testXSS() + { + $_POST['form'] = 'textarea'; + $_POST['message'] = '">'; + $this->assertEquals(SpoonFilter::htmlspecialchars($_POST['message']), $this->txtMessage->getValue()); + $this->assertEquals('', $this->txtMessage->parse()); + + $this->txtMessage = new SpoonFormTextarea('message', 'I am the default value', 'inputTextarea', 'inputTextareaError', true); + $this->frm->add($this->txtMessage); + $this->assertEquals('', $this->txtMessage->parse()); + } }