Hi,
I just wanted to clarify the behavior of the
Zend_Controller_Router_Route_Module class with respect to how URL parameters
are encoded. My question is thus: is there any reason why parameter values
are encoded, but parameter names are not?
The reason I ask is that we recently happened upon an XSS vector that seemed
obvious enough that it would have been patched already. It's only an XSS
vector if you forget to escape your URLs with Zend_View::escape(), which is
what we did. Here's an example:
Make a view script for the 'foo' controller, 'bar' action. In that view
script, output a URL like so:
<?php echo $this->url(array('controller'=>'foo', 'action'=>'bar'),
'default', false, true); ?>
The last three arguments are optional, but the order is important. This
only works if you have encoding set the true and reset set to false. Now
visit the following URL in your browser:
/foo/bar/%22%3e%3cscript%3ealert(11639)%3c/script%3e
Your view script should look like the following:
/foo/bar/"><script>alert(11639)</script%3E
Oops, script injection! You can see that the default route parsed the url
in the style of /controller/action/param1/value1, and in this case, the
<script> tag was part of the parameter name, whereas the second script tag
after the slash was encoded properly, only because it was parsed as the
parameter value, not the name.
So my question is, what gives with that? Shouldn't the parameter name also
be encoded automatically during route assembly?
Thanks,
Kris
--
View this message in context:
http://www.nabble.com/Routes-and-URL-encoding-parameter-names-tp25755944p25755944.html
Sent from the Zend Framework mailing list archive at Nabble.com.
