Cross-site Scripting when rendering error messages in laminas-form

Impact

When rendering validation error messages via the formElementErrors() view helper shipped with laminas-form, many messages will contain the submitted value. However, in vulnerable versions of laminas-form, the value was not being escaped for HTML contexts, which can potentially lead to a Reflected Cross-Site Scripting (XSS) attack.

Patches

The following versions were issued to mitigate the vulnerability:

• 2.17.1
• 3.0.2
• 3.1.1

Workarounds

At the top of a view script where you call the formElementErrors() view helper, place the following code:

use Laminas\Form\ElementInterface;
use Laminas\View\PhpRenderer;

$escapeMessages = function (ElementInterface $formOrElement, PhpRenderer $renderer): void {
    $messages = $element->getMessages();
    if (! $messages) {
        return;
    }

    $escaped  = [];
    array_walk_recursive(
        $messages,
        static function (string $item) use (&$escaped, $renderer): void {
            $escaped[] = $renderer->escapeHtml($item);
        }
    };

    $element->setMessages($escaped);
};

Before calling formElementErrors() with a form, fieldset, or element, call the above closure as follows

// Usage with a form
// $this is the view renderer
$escapeMessages($form, $this);

// Usage with a fieldset
// $this is the view renderer
$escapeMessages($fieldset, $this);

// Usage with a form element
// $this is the view renderer
$escapeMessages($element, $this);

For more information

If you have any questions or comments about this advisory:

• Open an issue
• Email us at [email protected]