htmlpurifier icon indicating copy to clipboard operation
htmlpurifier copied to clipboard

Published 20 hours ago verified publisher icon ezyang

Fortify Scan - XSLT Injection - portal/vendor/ezyang/htmlpurifier/extras/ConfigDoc/HTMLXSLTProcessor.php

Open Jessy-developer opened this issue 6 years ago • 0 comments

Hi,

We had a fortify scan on our code base to check for possible security vulnerabilities and the following has been reported from this library, request you to look into it.

Issue Description - Processing an unvalidated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary PHP code.

Recommendation Offered - When writing user supplied data to XSL stylesheets some guidelines should be followed: 1. Validate input and whitelist to known good values. 2. XML entity encodes user input before writing to XML.

Occurrences - 1.portal/vendor/ezyang/htmlpurifier/extras/ConfigDoc/HTMLXSLTProcessor.php, line 30 2.portal/vendor/ezyang/htmlpurifier/extras/ConfigDoc/HTMLXSLTProcessor.php:28

Jessy-developer avatar May 31 '19 12:05 Jessy-developer