Mail template still use regexp replace instead of HTML::Template variables
Concerned version
Version: %2.0.4
Platform: (Nginx/Apache/Node.js)
Summary
Web templates use TMPL_VAR
to insert variables, which allows the template designer to specify HTML escaping rules
Mail templates, however, use the following syntax:
<span trspan="hello">Hello</span> $firstname $lastname,<br />
Which leads to a possible attack scenario when register is enabled:
- Write some shady JS code in your first name and last name fields
- Write someone else's email in the email field
LLNG will send an email with unescaped HTML to the target, with a nice, legitimate looking From:
Logs
The attempt is detected
May 17 14:37:24 lemonregister LLNG[695]: XSS attack detected (param: lastname | value: <script>alert('oops')</script>)
But the mail is sent anyway.
Possible fixes
My suggestion is to use the TMPL_VAR method instead, which allows escaping. However, it would break existing mail templates.
So:
- Do we remove this
$attribute
, potentially insecure way of doing things, and warn users that they have to fix their templates - Or do we rewrite the current default templates to use the TMPL_VAR syntax, but keept the
$var
syntax working for compatibility until 2.1 ?
I'll commit a fix for this after getting your input