Stored XSS Vulnerability

Vulnerability

• In the signup form, lines 23-27 in /models/SignupForm.php

['username', 'filter', 'filter' => 'trim'],
['username', 'required'],
['username', 'unique', 'targetClass' => '\app\models\User', 'message' => Yii::t('app', 'This username has already been taken.')],
['username', 'string', 'min' => 2, 'max' => 255],
['username', 'validateHoldUser'],

The trim command only removes leading and trailing whitespace. And it does not sanitize input or prevent malicious content such as JavaScript. Therefore, as a result, an attacker can register with a username containing a script payload. The other inputs might be vulnerable as well.

Later, when this username is displayed in a view without proper escaping, the payload is executed. Example vulnerable line 21 in /views/site/index.php

<br> <?= $value->user->username ?>

Patch

Sanitize the inputs correctly. For example, by using Yii’s built-in escaping helper, dangerous characters are converted (e.g. < → <), ensuring the browser displays the text instead of executing it.