Summary
Adding messages to the Phalcon\Flash\Session
object will cause the contents of the message to remain unecaped when they are displayed, possibly allowing an attacker to inject HTML into the page (XSS). Tested with phalcon
- Class affected:
\Phalcon\Flash\Session
- Method used:
{{ flashSession.output() }}
System:
- Phalcon version: 2.0.10
- OS: Tested on Ubuntu
Code examples:
// Setting the session in my dependency injection object
$di->set('flashSession, function() {
return new Session([
'error' => 'alert alert-danger',
'success' => 'alert alert-success',
'notice' => 'alert alert-info',
'warning' => 'alert alert-warning'
]);
});
// Adding messages inside of a controller
$this->flashSession->success("<script>alert('This will execute as JavaScript!')</script>");
// Echoing out the messages in a volt template (the message is printed as HTML)
{{ flashSession.output() }}
// Same result
{{ flashSession.output() | escape }}
// Also the same result
{% autoescape true %}
{{ flashSession.output() }}
{% endautoescape %}