Skip to content

Commit

Permalink
Merge pull request #80 from 418sec/1-packagist-spoon/library
Browse files Browse the repository at this point in the history 
Security Fix for XSS in Spoon form types hidden, date and time - huntr.dev
  • Loading branch information
@carakas
carakas authored Mar 24, 2021
2 parents 60d09f4 + a8bfbb4 commit 8a81581
Show file tree
Hide file tree
Showing 5 changed files with 5 additions and 5 deletions.
2 changes: 1 addition & 1 deletion spoon/form/date.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -377,7 +377,7 @@ public function parse($template = null)
if($this->attributes['name'] == '') throw new SpoonFormException('A name is required for a date field. Please provide a valid name.');

// start html generation
$output = '<input type="text" value="' . $this->getValue() . '"';
$output = '<input type="text" value="' . SpoonFilter::htmlspecialchars($this->getValue()) . '"';

// add attributes
$output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue())) . ' />';
Expand Down
2 changes: 1 addition & 1 deletion spoon/form/hidden.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ public function isFilled()
public function parse($template = null)
{
// start html generation
$output = '<input type="hidden" value="' . $this->getValue() . '"';
$output = '<input type="hidden" value="' . SpoonFilter::htmlspecialchars($this->getValue()) . '"';

// build attributes
$attributes = array();
Expand Down
2 changes: 1 addition & 1 deletion spoon/form/password.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -273,7 +273,7 @@ public function parse($template = null)
if($this->attributes['name'] == '') throw new SpoonFormException('A name is required for a password field. Please provide a name.');

// start html generation
$output = '<input type="password" value="' . str_replace(array('"', '<', '>'), array('&quot;', '&lt;', '&gt;'), $this->getValue()) . '"';
$output = '<input type="password" value="' . SpoonFilter::htmlspecialchars($this->getValue()) . '"';

// add attributes
$output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue())) . ' />';
Expand Down
2 changes: 1 addition & 1 deletion spoon/form/text.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -788,7 +788,7 @@ public function parse($template = null)
if($this->attributes['name'] == '') throw new SpoonFormException('A name is required for a textfield. Please provide a name.');

// start html generation
$output = '<input value="' . str_replace(array('"', '<', '>'), array('&quot;', '&lt;', '&gt;'), $this->getValue()) . '"';
$output = '<input value="' . SpoonFilter::htmlspecialchars($this->getValue()) . '"';

// add attributes
$output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue())) . ' />';
Expand Down
2 changes: 1 addition & 1 deletion spoon/form/time.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -216,7 +216,7 @@ public function parse($template = null)
if($this->attributes['name'] == '') throw new SpoonFormException('A name is required for a time field. Please provide a name.');

// start html generation
$output = '<input type="text" value="' . $this->getValue() . '"';
$output = '<input type="text" value="' . SpoonFilter::htmlspecialchars($this->getValue()) . '"';

// add attributes
$output .= $this->getAttributesHTML(array('[id]' => $this->attributes['id'], '[name]' => $this->attributes['name'], '[value]' => $this->getValue())) . ' />';
Expand Down

0 comments on commit 8a81581

Please sign in to comment.