Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks

Fixes #454
2025-08-03 09:54:27 +02:00 · 2022-09-14 11:38:18 +02:00
parent 25051e6e88
commit f1f7ee6e34
3 changed files with 40 additions and 12 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,7 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

-### Fixes
+### Security
+- Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks [#454](https://github.com/smarty-php/smarty/issues/454)
+
+### Fixed
 - Fixed use of `rand()` without a parameter in math function [#794](https://github.com/smarty-php/smarty/issues/794)

 ## [3.1.46] - 2022-08-01
--- a/libs/plugins/function.mailto.php
+++ b/libs/plugins/function.mailto.php
@@ -48,8 +48,13 @@
 */
 function smarty_function_mailto($params)
 {
-    static $_allowed_encoding =
-        array('javascript' => true, 'javascript_charcode' => true, 'hex' => true, 'none' => true);
+    static $_allowed_encoding = array(
+        'javascript' => true,
+        'javascript_charcode' => true,
+        'hex' => true,
+        'none' => true
+    );
+
    $extra = '';
    if (empty($params[ 'address' ])) {
        trigger_error("mailto: missing 'address' parameter", E_USER_WARNING);
@@ -57,11 +62,11 @@ function smarty_function_mailto($params)
    } else {
        $address = $params[ 'address' ];
    }
+
    $text = $address;
+
    // netscape and mozilla do not decode %40 (@) in BCC field (bug?)
    // so, don't encode it.
-    $search = array('%40', '%2C');
-    $replace = array('@', ',');
    $mail_parms = array();
    foreach ($params as $var => $value) {
        switch ($var) {
@@ -69,7 +74,7 @@ function smarty_function_mailto($params)
            case 'bcc':
            case 'followupto':
                if (!empty($value)) {
-                    $mail_parms[] = $var . '=' . str_replace($search, $replace, rawurlencode($value));
+                    $mail_parms[] = $var . '=' . str_replace(array('%40', '%2C'), array('@', ','), rawurlencode($value));
                }
                break;
            case 'subject':
@@ -83,6 +88,7 @@ function smarty_function_mailto($params)
            default:
        }
    }
+
    if ($mail_parms) {
        $address .= '?' . join('&', $mail_parms);
    }
@@ -94,19 +100,21 @@ function smarty_function_mailto($params)
        );
        return;
    }
+
+    $string = '<a href="mailto:' . htmlspecialchars($address, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, Smarty::$_CHARSET) .
+        '" ' . $extra . '>' . htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, Smarty::$_CHARSET) . '</a>';
+
    if ($encode === 'javascript') {
-	    $string = '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
        $js_encode = '';
        for ($x = 0, $_length = strlen($string); $x < $_length; $x++) {
            $js_encode .= '%' . bin2hex($string[ $x ]);
        }
        return '<script type="text/javascript">document.write(unescape(\'' . $js_encode . '\'))</script>';
    } elseif ($encode === 'javascript_charcode') {
-        $string = '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
        for ($x = 0, $_length = strlen($string); $x < $_length; $x++) {
            $ord[] = ord($string[ $x ]);
        }
-	    return '<script type="text/javascript">document.write(String.fromCharCode(' . implode(',', $ord) . '))</script>';
+        return '<script type="text/javascript">document.write(String.fromCharCode(' . implode(',', $ord) . '))</script>';
    } elseif ($encode === 'hex') {
        preg_match('!^(.*)(\?.*)$!', $address, $match);
        if (!empty($match[ 2 ])) {
@@ -129,6 +137,6 @@ function smarty_function_mailto($params)
        return '<a href="' . $mailto . $address_encode . '" ' . $extra . '>' . $text_encode . '</a>';
    } else {
        // no encoding
-        return '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
+        return $string;
    }
 }
--- a/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php
+++ b/tests/UnitTests/TemplateSource/TagTests/PluginFunction/PluginFunctionMailtoTest.php
@@ -150,7 +150,7 @@ class PluginFunctionMailtoTest extends PHPUnit_Smarty

    public function testUmlauts()
    {
-        $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
+        $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&amp;subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
        $tpl = $this->smarty->createTemplate('eval:{mailto address="me+smtpext@example.com" cc="you@example.com,they@example.com" subject="hällo wörld"}');
        $this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
    }
@@ -158,9 +158,26 @@ class PluginFunctionMailtoTest extends PHPUnit_Smarty
    public function testUmlautsWithoutMbstring()
    {
        Smarty::$_MBSTRING = false;
-        $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
+        $result = '<a href="mailto:me+smtpext@example.com?cc=you@example.com,they@example.com&amp;subject=h%C3%A4llo%20w%C3%B6rld" >me+smtpext@example.com</a>';
        $tpl = $this->smarty->createTemplate('eval:{mailto address="me+smtpext@example.com" cc="you@example.com,they@example.com" subject="hällo wörld"}');
        $this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
        Smarty::$_MBSTRING = true;
    }
+
+	public function testJavascriptChars()
+	{
+		$result = '<script type="text/javascript">document.write(unescape(\'%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%71%75%6f%74%3b%26%67%74%3b%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%23%30%33%39%3b%29%3b%20%61%6c%65%72%74%28%26%71%75%6f%74%3b%69%6e%6a%65%63%74%69%6f%6e%26%71%75%6f%74%3b%29%3b%20%2f%2f%22%20%3e%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%71%75%6f%74%3b%26%67%74%3b%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%23%30%33%39%3b%29%3b%20%61%6c%65%72%74%28%26%71%75%6f%74%3b%69%6e%6a%65%63%74%69%6f%6e%26%71%75%6f%74%3b%29%3b%20%2f%2f%3c%2f%61%3e\'))</script>';
+		$this->smarty->assign('address', 'me@example.com">me@example.com\'); alert("injection"); //');
+		$tpl = $this->smarty->createTemplate('eval:{mailto address=$address encode=javascript}');
+		$this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
+	}
+
+	public function testHtmlChars()
+	{
+		$result = '<a href="mailto:me@example.com&quot;&gt;&lt;h1&gt;" class="email">me@example.com&quot;&gt;&lt;h1&gt;</a>';
+		$this->smarty->assign('address', 'me@example.com"><h1>');
+		$tpl = $this->smarty->createTemplate('eval:{mailto address=$address extra=\'class="email"\'}');
+		$this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
+	}
+
 }