View Issue Details

IDProjectCategoryView StatusLast Update
0019113phpList 3 applicationAll Otherpublic24-05-18 21:01
Reportersamtuke 
PriorityhighSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
PlatformLinuxOSFedoraOS Version26
Product Version3.3.2-RC3 
Target Version3.3.4Fixed in Version3.3.3 
Summary0019113: Subscribe page text attribute value is corrupted due to removeXss()
DescriptionSee https://github.com/phpList/phplist3/issues/264#issuecomment-373473456
TagsNo tags attached.

Activities

xheni

20-04-18 09:41

administrator   ~0060445

PR: https://github.com/phpList/phplist3/pull/296

samtuke

20-04-18 13:28

administrator   ~0060446

@xheni What about the preferences page? This does not appear to affect the problem when updating preferences via links links like: lists/?p=preferences&uid=d9d1210076982e38f22502a5c9f2a215

In the attached screenshot the attribute value was set using code from your branch (fix-corrupted-attributes).

Selection_400.png (92,048 bytes)
Selection_400.png (92,048 bytes)

xheni

20-04-18 15:51

administrator   ~0060448

Sorry for the misunderstanding. The changes that I made affect the subscriber details (?page=user) because the attributes were also corrupted there.
So the code before was basically calling:
htmlspecialchars($foo)
This leads to double-encoding since the data is already encoded before.
We can do context-aware escaping instead, which will work. So we have two cases:
<input value=”foo”>
<textarea>foo</textarea>
In this case we have two different cases that we need to escape, for the input field it is all “ so that nobody can do something like “><script>alert(1)</script>. If we remove all “ and replace that with the htmlentities version &#x22; .
For textarea the data is however in another structure. It needs to escape < and > with > and <
I'm working on the preferences page now that I understand it better where I need to do the changes and I will update soon.