Skip to content

HTML injection #237

New issue
New issue
Open
Open
HTML injection#237
@emedinainnotec

Description

@emedinainnotec
emedinainnotec
opened on Sep 27, 2023

Many templates based on Astroid Framework use the getBodyClass() function to add classes to the body.
When using the payload ?task=">micustomhtml or ?layout=">mycustomhtml , we can break the html structure and show our custom message.
The "<" caracter can not be injected so we can't execute any javascript or css, but we can inject our message to other websites.
This problem is caused by an incorrect input filter in libraries/astroid/framework/library/astroid/Document.php getBodyClass() function():
$option = $app->input->get('option', '', 'STRING');
$view = $app->input->get('view', '', 'STRING');
$layout = $app->input->get('layout', 'default', 'STRING'); // Input filter shoud be 'ALNUM' or use custom regex
$task = $app->input->get('task', '', 'STRING'); // Input filter shoud be 'ALNUM' or use custom regex
$header = $params->get('header', TRUE);
$headerMode = $params->get('header_mode', 'horizontal', 'STRING');
$Itemid = $app->input->get('Itemid', '', 'INT');

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions