Security: stored XSS via language name in admin panel#8607
Merged
Conversation
The admin language list rendered the stored original_name directly inside an input value attribute (and a label / table cell) without HTML-attribute encoding, so a name containing a double quote could break out of the value attribute and inject an event handler that runs in another admin's browser. Encode the value with htmlspecialchars(..., ENT_QUOTES, 'UTF-8') at every render point of original_name. Refs GHSA-j9jg-h6cw-jj7v Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The admin language management list rendered the stored
original_nameof a language directly inside an HTMLvalue="..."attribute (and also in a<label>and a table cell) without HTML-attribute encoding. A language name containing a double quote could break out of the attribute and inject an event handler, executing arbitrary JavaScript in the browser of any other administrator who opened the language list/edit form — an admin-to-admin stored XSS.Fix
Encode
original_namewithhtmlspecialchars($value, ENT_QUOTES, 'UTF-8')at every point where it is rendered (the text input value, the platform-language label, and the read-only table cell).ENT_QUOTESneutralizes the double-quote attribute breakout.Invariant now enforced
The stored language name is always emitted as inert, attribute-safe text; it can no longer terminate the
valueattribute or inject markup/handlers.OWASP control
A03:2021 – Injection (Stored Cross-Site Scripting).
Refs GHSA-j9jg-h6cw-jj7v
🤖 Generated with Claude Code