fix: escape user-controlled values rendered as raw backend HTML (stored XSS)#6581
Merged
Conversation
…ed XSS) Several places concatenated database/filesystem values into backend HTML without rex_escape(), leading to stored XSS. Most of these flows are invisible to the Psalm taint analysis because they cross dynamic-dispatch boundaries (extension-point handlers invoked via call_user_func, a fragment var set with escaping disabled, and a rex_list 'custom' column formatter which is not auto-escaped), so the static taint graph is severed between source and sink. Fixed sinks: - media_manager: the MEDIA_IS_IN_USE handler rendered the effect type name unescaped (GHSA-mf2p-wjp4-99pq). - mediapool: the MEDIA_IS_IN_USE warning rendered the referencing article name unescaped. - metainfo: the MEDIA_IS_IN_USE handler rendered article, category, media filename and clang names unescaped. - mediapool sync page: on-disk filenames were rendered unescaped in the writable/not-writable lists (GHSA-w998-qmw9-mf4m). - media_manager effects list: the 'custom' column formatter returned the raw effect short name from the DB when the effect class is no longer registered. - phpmailer checkmail page: the SMTP server debug output and ErrorInfo were rendered unescaped (rex_escape applied before nl2br so line breaks are preserved). All affected values are now passed through rex_escape() before being embedded into HTML.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Several places concatenated database/filesystem values into backend HTML without rex_escape(), leading to stored XSS. Most of these flows are invisible to the Psalm taint analysis because they cross dynamic-dispatch boundaries (extension-point handlers invoked via call_user_func, a fragment var set with escaping disabled, and a rex_list 'custom' column formatter which is not auto-escaped), so the static taint graph is severed between source and sink.
Fixed sinks:
All affected values are now passed through rex_escape() before being embedded into HTML.