Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

This is a demonstration of Phalcon's inconsistent Text and TextArea escaping

I'm just posting here to demonstrate the bug I've filed at https://github.com/phalcon/cphalcon/issues/12428

</textarea> OUTSIDE!!!

<h1 style="font-size:50px; color:red;">i'm free!!!</h1>

<script> document.addEventListener("DOMContentLoaded", function(event) { alert('This should not happen!'); }); </script>



1.1k

Here's what's displayed when I edit that post above. If an admin were to edit my post, they'd be executing my Javascript code too.

screenshot

edited Nov '16

@OP: Good point.

Security should come first with any framework, and there's a lot of room for improvement.



29.3k
Accepted
answer

Thank you for pointing the problem in the forum source code.

As @niden has already explained to you in https://github.com/phalcon/cphalcon/issues/12428, we can't make the changes you are talking about, in the current branch Phalcon API, because it would break backward compatibility. Many projects escape output independently.

You can see how to get rid of this problem in my commit: https://github.com/phalcon/forum/commit/d664062a810745c2793b4c2a88cd8daf82f6759e

To do so, you don't need to release a new version of Phalcon or even worse, break working projects which already use escaping.

Fixed in the 3.0.x branch. I'll release a new minor Forum version as soon as possible. Thanks.



1.1k

No worries. Thanks for your feedback. And I agree about the breaking changes thing, which is a great thing in Phalcon (they're very rare). I really apprciate all the great work you guys do.

I was just posting this here to demo/test the forum's implementation itself, not to nag about the cphalcon issue. :)

For anybody who is rendering their form elements from a lower level, i.e. from the Elements inside your $Form object (rather than re-creating them in your controller), you can use this extended TextAreaEscaped class instead of \Phalcon\Forms\Element\TextArea when defining your Form class...

class TextAreaEscaped extends \Phalcon\Forms\Element\TextArea
{
    public function render($attributes = null)
    {
        $fieldName = $this->getName();
        $Escaper = new \Phalcon\Escaper();
        $this->getForm()->getEntity()->$fieldName = $Escaper->escapeHtml($this->getValue());
        return parent::render($attributes);
    }
}