Secure FormIt against XSS

☆ A M B ☆
339 Posts

gallenkamp Reply #1, 11 years, 7 months ago

Hi MODX People,

i'd like to find out how I can secure all FormIt forms against Cross Site Scripting with some extra code without having to use a output modifier. Its known for some month and been explained as a feature, as some people might want to receive unfiltered form submissions: http://tracker.modx.com/issues/5182

It has been discussed in the german forums some time in 2011: http://www.modxcms.de/forum/comments.php?DiscussionID=5077

The solution proposed in was to give each placeholder an output modifier of :htmlent like this:

[[!+fi.*:htmlent]]

What would be the way to have FormIt to cut out the "bad code" by default? Maybe via a default system setting and a hook to allow code in some fields?

Cheers,

Guido [ed. note: gallenkamp last edited this post 11 years, 7 months ago.]

☆ A M B ☆
3,141 Posts

Mark Hamstra Reply #2, 11 years, 7 months ago

Suppose you could use a custom posthook like this which runs htmlentities on all values:

$values = $hook->getValues();
foreach ($values as $key => $value) {
  $values[$key] = htmlentities($value, ENT_QUOTES, 'UTF-8');
}
$hook->setValues($values);

It's worthy of a discussion to see what the best way to handle stuff like this is - I wouldn't be opposed to a FormIt property that is enabled by default which runs every input through htmlentities. As far as I know, as long as your page is properly UTF-8 encoded and you use htmlentities as in my example above, you are pretty much safe from XSS.

Mark Hamstra • Developer spending his days working on Premium Extras and a MODX Site Dashboard with the ability to remotely upgrade MODX and extras to make the MODX world a little better.

Tweet me @mark_hamstra, check my infrequent blog at markhamstra.com, my slightly more frequent ramblings at MODX.today or see code at Github.

☆ A M B ☆
339 Posts

gallenkamp Reply #3, 11 years, 7 months ago

Right now, I have put the output modifier info all placeholders. I'd like to have a kind of clean solution for further projects, as not all users will test their sites agains security issues like my client does.

So, I'd appreciate a general discussion, as its not my special topic. To be honest, nothing feels like my special topic right now :/

64 Posts

gemand Reply #4, 11 years, 2 months ago

Hi Guido,

as far as our tests show 'htmlent' is set as standard for all
formit-placeholders.

Using htmlent versus not using html delivers for the following input almost the
same output on reloading a formit-page:

input:
<script>alert('xss')</script> <a href="Test">Test</a>

1. output without htmlent on reloading:

Test

2. with htmlent:

Test

(Between the two tags there are originally 8 space characters. In case 1. the output has spacecharacters in front of 'Test' what seems to be cleared by the forum-software)

Can anybody of the modx-team confirm if this is correct and if it makes no
difference to use htmlent or not? Or did we any mistake in these tests?

☆ A M B ☆
179 Posts

mindeffects Reply #5, 8 years, 4 months ago

With the help of Mark Hamstra (Thanks, buddy!!!) I got this solution to work using a FormIt-Validator:

[[!FormIt?
   ...
  &customValidators=`FormItHtmlEnt`
  &validate=`
   fieldname1:required:FormItHtmlEnt,  
   fieldname2:required:FormItHtmlEnt
]]

With FormItHtmlEnt being this snippet:

<?php
$validator->fields[$key] = htmlentities($value, ENT_QUOTES, $encoding);
return true;

MINDEFFECTS – DESIGN for PRINT, WEB and MEDIA
http://twitter.com/mindeffects · http://www.facebook.com/mindeffects · http://www.youtube.com/mindeffects/ · skype://mindeffects_oliver

2,877 Posts

mrhaw Reply #6, 8 years, 4 months ago

Great share!

@hawproductions | http://mrhaw.com/

Infograph: MODX Advanced Install in 7 steps:
http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower