MtHaml icon indicating copy to clipboard operation
MtHaml copied to clipboard

Published 20 hours ago verified publisher icon arnaud-lb

XSS in Twig templates

Open chadtomkiss-tbp opened this issue 5 years ago • 1 comments

When using HAML and Twig to render our templates, we have run into an issue that allows XSS.

- set name = '"><script>alert(1);</script>'

%input(value=name)

The compiled template is:

{% set name = '"><script>alert(1);</script>' %}
<input {{ mthaml_attributes([['value', name]], 'html5', 'UTF-8', false)|raw }}>

We are using the Symfony bundle, which disables escaping by default.

Is there anything we need to do to prevent this?

chadtomkiss-tbp avatar Jun 19 '19 18:06 chadtomkiss-tbp

I see no reason for not escaping attributes. I've fixed that and tagged 1.8.1.

Thank you for reporting this issue.

arnaud-lb avatar Jun 20 '19 15:06 arnaud-lb