LP-2022-01: Reflected XSS vector in laminas/laminas-form

The package laminas/laminas-form contains a laminas/laminas-view view helper for emitting form element, fieldset, and/or form validation errors, formElementError(). Validation messages can contain the original input, potentially resulting in a Reflected XSS vulnerability.

Affected versions

  • laminas/laminas-form versions prior to 2.17.1
  • laminas/laminas-form 3.0.0 — 3.0.1
  • laminas/laminas-form 3.1.0

Action Taken

The view helper was updated to use the escapeHtml() view helper to escape messages prior to emitting them.

The patch resolving the vulnerability is available in:

  • laminas/laminas-form 2.17.1
  • laminas/laminas-form 3.0.2
  • laminas/laminas-form 3.1.1

We highly recommend all users of the package to update immediately.

Mitigations

It is possible to mitigate this issue in versions prior to 3.1.0.

At the top of a view script where you call the formElementErrors() view helper, place the following code:

use Laminas\Form\ElementInterface;
use Laminas\View\PhpRenderer;

$escapeMessages = function (ElementInterface $formOrElement, PhpRenderer $renderer): void {
    $messages = $element->getMessages();
    if (! $messages) {
        return;
    }

    $escaped  = [];
    array_walk_recursive(
        $messages,
        static function (string $item) use (&$escaped, $renderer): void {
            $escaped[] = $renderer->escapeHtml($item);
        }
    };

    $element->setMessages($escaped);
};

Before calling formElementErrors() with a form, fieldset, or element, call the above closure as follows

// Usage with a form
// $this is the view renderer
$escapeMessages($form, $this);

// Usage with a fieldset
// $this is the view renderer
$escapeMessages($fieldset, $this);

// Usage with a form element
// $this is the view renderer
$escapeMessages($element, $this);

Acknowledgments

The Laminas Project thanks the following for identifying the issues and working with us to help protect its users:

  • hklet for advising us of the vulnerability and collaborating on the patch, and their employer, Deutsche Telekom AG.

Released 2022-01-28

Back to advisories

Have you identified a security vulnerability?

Please report it to us at security@getlaminas.org