XSS vulnerability inside <TextArea> elements (no escaping/htmlentities being done)

[hi2u]

When using Phalcon's Phalcon\Forms\Element\TextArea element, no escaping/htmlentities is done on the value in between the real <textarea> and </textarea> tags. A malicious user simply entering </textarea> into the form allows any following client-side code to be executed when returning to the form.

---

Example form with malicious user input:

---

Next time the form is rendered, the malicious code gets executed:

---

This behaviour is inconsistent with Phalcon\Forms\Element\Text which does safely convert special characters to HTML entities.

I'm using Phalcon 3.0.1 on Ubuntu 16.04 64bit with PHP 7.0.8-0ubuntu0.16.04.3 (standard official Ubuntu repo package at present).

This appears to be where the tag is generated, "content" isn't escaped: https://github.com/phalcon/cphalcon/blob/v3.0.1/phalcon/tag.zep#L963

In the meantime, you can work around this issue by using this extended element class (instead of using Phalcon\Forms\Element\TextArea directly)...

class TextAreaSafe extends \Phalcon\Forms\Element\TextArea
{
    public function render($attributes = null)
    {
        $fieldName = $this->getName();
        $Escaper = new \Phalcon\Escaper();
        $this->getForm()->getEntity()->$fieldName = $Escaper->escapeHtml($this->getValue());
        return parent::render($attributes);
    }
}

[sergeyklay]

@hi2u How about to use the TextArea as part of HTML editor? The escaping out of box will break such use. At least it's not a minor hotfix. In my opinion you have to escape user's input (for example in the controller's action) but not output.

In any case this is an ambiguous question and I need time to think about it.

Could you please provide minimal code which could be reproduced to understand its correct use case?

[hi2u]

How about to use the TextArea as part of HTML editor? The escaping out of box will break such use.

Sorry, I didn't really understand what you mean here?

I've done up a simple example. You can just paste this action code into a controller:

    public function xsstextareaAction()
    {
        $Form = new \Phalcon\Forms\Form();

        $e = new \Phalcon\Forms\Element\Text('demoTextField');
        $e->setDefault('this is automatically made safe <html> "doubles quotes" \'single quotes\' ');
        $Form->add($e);

        $e = new \Phalcon\Forms\Element\TextArea('demoTextAreaField');
        $e->setDefault('this is NOT automatically made safe </textarea> <html> "doubles quotes" \'single quotes\' <script>alert(\'this shouldnt happen\');</script> ');
        $Form->add($e);

        foreach ($Form as $Element) echo $Element;
    }

The resulting HTML rendered is:

<input type="text" id="demoTextField" name="demoTextField" value="this is automatically made safe &lt;html&gt; &quot;doubles quotes&quot; &#039;single quotes&#039; " />

<textarea id="demoTextAreaField" name="demoTextAreaField">this is NOT automatically made safe </textarea> <html> "doubles quotes" 'single quotes' <script>alert('this shouldnt happen');</script> </textarea>

As you can see, the regular one-line INPUT is converting special characters into HTML entities on output like it should. But the TEXTAREA does not.

Everything I've read about XSS recommends doing the escaping on output (not input), because the data in your database could be coming from anywhere, including non-web systems outside of your own control. You can't rely on your source data having already converted all its special characters to HTML entities. As that would cause all sorts of issues. And escaping is context specific, e.g. if the data is getting sent in a plain text email, you don't want it to be pre-polluted with HTML entities.

That's how we end up with stuff like this: https://www.instagram.com/p/SVfQruppEE/ :) ... I came across that on this page about XSS input vs output: http://lukeplant.me.uk/blog/posts/why-escape-on-input-is-a-bad-idea/

In either case, TextArea should be consistent with Phalcon's Text/Select/etc elements. But it really should be on output, as Text, Select etc correctly do.

If there are some specific reasons that content shouldn't be converted inside TEXTAREA tags, maybe it should just at least check for a </textarea> inside the value and just sanitize that?

Are there any downsides to just sanitizing it using the same method as Text/Select etc?

[hi2u]

Sorry about closing the ticket before, clicked the wrong button.

I also just now tested how Phalcon behaves with special characters inside the values of <SELECT><OPTION> tags. This is also safely sanitized in the same way as Text.

e.g: if my database has an option with value:

Data with <tag> "quotes" 'quote'

\Phalcon\Forms\Element\Select is automatically rendering as:

<option value="51">Data with &lt;tag&gt; &quot;quotes&quot; &#039;quote&#039;</option>

So I'm guessing Phalcon is doing it for most other form fields too? Except for TextArea.