XSS on TaxonomyController

[S-DICKSON]

1. Create a new taxonomy
2. Set name to <script>alert("YOu juST beEn hackED ( ͡° ͜ʖ ͡°) ")</script>
3. Submit
4. See alert on the index page

This issue also occurs in TaxonController@Create.

[fulopattila122]

Thx for the report!

• does it only apply only to name?
• only taxon and taxonomy?

[S-DICKSON]

Hi the issues seems to be when Update or Store has been made and the request is redirected to the index page. {{ $variable }} is not escaping the characters and seems to be working after refresh this is only an assumption though I've not looked into how Laravel escapes characters.

I've justed tested <script>alert("YOu juST beEn hackED ( ͡° ͜ʖ ͡°) ")</script> on these controller so far

• TaxonomyController
• TaxonController
• ProductController
• PropertyController

I'll let you know if I find anymore.

[fulopattila122]

Fair enough, I'll check them. Thx!

[S-DICKSON]

• ChannelController

[S-DICKSON]

• PropertyValueController@create

[fulopattila122]

Checked it myself, and it only affects the flash message after creation or update.
Basically one can only hack himself :) but I'll give it a fix

[fulopattila122]

The issue comes from the laracasts/flash package, see https://github.com/laracasts/flash/blob/3.1/src/views/message.blade.php#L22

The default, intended behavior is to be able to pass HTML to the flash messages from the code.
This can be easily modified:

1. php artisan vendor:publish --provider="Laracasts\Flash\FlashServiceProvider"
2. Edit resources/views/vendor/flash/message.blade.php
3. Change line 22 from {!! $message['message'] !!} to {{ $message['message'] }}

For Vanilo v1 I'll leave it as it is so that it doesn't break existing apps that rely on this behavior. The framework itself doesn't pass any HTML, so for v2 I'll change this behavior so that flash messages are escaped by default.