xss
MatthiasHertel opened this issue · comments
laravel-blog-tutorial/resources/views/blog/single.blade.php
@extends('main')
@section('title', "| $post->title")
@section('content')
<div class="row">
<div class="col-md-8 col-md-offset-2">
<h1>{{ $post->title }}</h1>
<p>{{ $post->body }}</p>
<hr>
<p>Posted In: {{ $post->category->name }}</p>
</div>
</div>
@endsection
line 3 $post->title is not escaped ... and vulnerable for xss ?
Double curly braces will escape HTML so anything with double curly brace blade will be escaped and therefore safe.
Also as long as you sanitize it before adding it to the DB it would also be safe.
You're good here :)
hey jacurtis : Will you teach deployment to production environment
::changing from public to domain base url
::setup on a live server
On 3 Jul 2016 23:08, "J. Alexander Curtis" notifications@github.com wrote:
Double curly braces will escape HTML so anything with double curly brace
blade will be escaped and therefore safe.Also as long as you sanitize it before adding it to the DB it would also
be safe.You're good here :)
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#1 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AKzuK5jSpQr7MrrTg3It8aHTFe_HumGsks5qSBbEgaJpZM4JD7em
.
@jacurtis
first of all - i forked your repo and made pull req for a fixing route .. there is another issue
appendix the xss issue - try this string in the title of a post:
</title><script>alert('hi')</script>
then go to:
blog/single.blade.php
there is no sanitize ... the injected string is in the db .. and the in line 3 there is no escape for the string in the title ..
Interesting... i just checked again and double curly braces is supposed to escape html data. I am not sure what is happening here.
I know there is no sanitize, but that is because I was under the impression that all {{...}} was escaped.
I know there is no sanitize, but that is because I was under the impression that all {{...}} was escaped.
but in line 3 are no curly braces ...
Gosh I am now just seeing the problem. Haha i was looking at the wrong post->title and I just now noticed it. I was so confused before, haha. Ok so what I am doing is making a list of "Known Bugs" on the readme page for this repo. Then will accept all merge requests for bug fixes at the end of the series (so I don't mess up other people's code). So I am adding this to the list of known bugs on the readme. If you have any others, open up another issue and I will add those as well.
haha ... no problem - yeah an after-all-merge is the best way to prevent confusing the crowd
This security error was fixed in part 41 of the series. Viewable on YouTube at around the 20m mark.
I did it this way:
@section('title', '| '.htmlentities($post->title) )
That is interesting. I will give that a try. When I tried to add PHP inline
it didn't seem to work. Looks like I need to test :)
On Sun, Jul 24, 2016 at 11:44 AM, LSRWyvern notifications@github.com
wrote:
I did it this way:
@section('title', '| '.htmlentities($post->title) )—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
#1 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAgy8Yua8gPcFjZcZ7FXQY6oavUkSvw2ks5qY6SagaJpZM4JD7em
.
Maybe the simpliest way:
@section('title') | {{ $post->title }}@endsection
I prefer this
@section('title','| '.htmlspecialchars($post->title, ENT_QUOTES, 'UTF-8'))Also the same problem in the tag tags.show view
The good news is that in Laravel 5.4 i believe this issue is fixed now. They are escaped by default.
yea, i notice that it has been scaped (since the first version i have used is 5.4. i can't believe that they didn't scape these echo's all that time. that is really creepy. I was thinking about the ajax way of making a CRUD series.
Hi Jacurtis, I wanted to run your project but I have an error
Trying to get property 'title' of non-object (View: C:\xampp\htdocs\blog123\resources\views\blog\single.blade.php)
what should I do can you suggest something???
@extends('main')
title); ?>@section('title', "| $titleTag")
@section('content')
<div class="row">
<div class="col-md-8 col-md-offset-2">
@if(!empty($post->image))
<img src="{{asset('/images/' . $post->image)}}" width="800" height="400" />
@endif
<h1>{{ $post->title }}</h1>
<p>{!! $post->body !!}</p>
<hr>
<p>Posted In: {{ $post->category->name }}</p>
</div>
</div>
<div class="row">
<div class="col-md-8 col-md-offset-2">
<h3 class="comments-title"><span class="glyphicon glyphicon-comment"></span> {{ $post->comments()->count() }} Comments</h3>
@foreach($post->comments as $comment)
<div class="comment">
<div class="author-info">
<img src="{{ "https://www.gravatar.com/avatar/" . md5(strtolower(trim($comment->email))) . "?s=50&d=monsterid" }}" class="author-image">
<div class="author-name">
<h4>{{ $comment->name }}</h4>
<p class="author-time">{{ date('F dS, Y - g:iA' ,strtotime($comment->created_at)) }}</p>
</div>
</div>
<div class="comment-content">
{{ $comment->comment }}
</div>
</div>
@endforeach
</div>
</div>
<div class="row">
<div id="comment-form" class="col-md-8 col-md-offset-2" style="margin-top: 50px;">
{{ Form::open(['route' => ['comments.store', $post->id], 'method' => 'POST']) }}
<div class="row">
<div class="col-md-6">
{{ Form::label('name', "Name:") }}
{{ Form::text('name', null, ['class' => 'form-control']) }}
</div>
<div class="col-md-6">
{{ Form::label('email', 'Email:') }}
{{ Form::text('email', null, ['class' => 'form-control']) }}
</div>
<div class="col-md-12">
{{ Form::label('comment', "Comment:") }}
{{ Form::textarea('comment', null, ['class' => 'form-control', 'rows' => '5']) }}
{{ Form::submit('Add Comment', ['class' => 'btn btn-success btn-block', 'style' => 'margin-top:15px;']) }}
</div>
</div>
{{ Form::close() }}
</div>
</div>
@endsection