Headline
CVE-2023-1884: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@7f0f921
Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
@@ -106,10 +106,10 @@ function buildStopWordsHTML(data) {
}
// id attribute is of the format stopword_<id>_<lang>
elem_id = buildStopWordInputElemId(data[i].id, data[i].lang);
elem_id = buildStopWordInputElemId(data[i].id, escape(data[i].lang));
html += '<td>’;
html += buildStopWordInputElement(elem_id, data[i].stopword);
html += buildStopWordInputElement(elem_id, escape(data[i].stopword));
html += '</td>’;
if (i % maxCols === maxCols - 1) {
@@ -136,7 +136,7 @@ function buildStopWordInputElement(elementId, stopword) {
elementId = elementId || buildStopWordInputElemId();
stopword = stopword || '’;
const attrs = 'onblur="saveStopWord(this.id)" onkeydown="saveStopWordHandleEnter(this.id, event)" onfocus="saveOldValue(this.id)"’;
return ‘<input class="form-control form-control-sm" id="’ + elementId + ‘" value="’ + stopword + '" ' + attrs + '>’;
return ‘<input class="form-control form-control-sm" id="’ + elementId + ‘" value="’ + escape(stopword) + '" ' + attrs + '>’;
}
/**
@@ -286,6 +286,21 @@ function() {
);
}
}
const escape = (text) => {
const map = {
'&’: '&’,
'<’: '<’,
'>’: '>’,
'"’: '"’,
"’": '’’,
};
return text.replace(/[&<>"’]/g, (mapped) => {
return map[mapped];
});
};
</script>
</div>
</div>
Related news
thorsten/phpmyfaq prior to 3.1.12 is vulnerable to cross-site scripting (XSS) because it fails to sanitize user input in the `stopword` parameter. This has been fixed in 3.1.12.