Skip to content

fix: escape URL in shariff widget to prevent reflected XSS#53

Open
GustavoCasiano wants to merge 1 commit into
ojsde:mainfrom
escire-ojs-plugins:main
Open

fix: escape URL in shariff widget to prevent reflected XSS#53
GustavoCasiano wants to merge 1 commit into
ojsde:mainfrom
escire-ojs-plugins:main

Conversation

@GustavoCasiano

@GustavoCasiano GustavoCasiano commented Jun 11, 2026

Copy link
Copy Markdown

Summary

Fixes a reflected XSS vulnerability in the Shariff plugin where the current page URL was assigned to data-mail-body and data-url attributes without sanitization. An attacker could craft a URL with a raw " character to break out of the HTML attribute and inject arbitrary HTML/JavaScript into the page.

Affected attribute:

<!-- Before: attribute breakout possible -->
<div data-mail-body="https://example.org/article/view/1?x"><script>alert(1)</script>">

<!-- After: safely escaped -->
<div data-mail-body="https://example.org/article/view/1?x&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;">

Proof of concept (curl, bypasses browser URL-encoding):

curl -sk --path-as-is \
  'https://your-ojs/index.php/journal/article/view/1?x"><script>alert(1)</script>' \
  | grep 'data-mail-body'

Changes

Security fix — reflected XSS:

  • ShariffPlugin.php: apply htmlspecialchars(..., ENT_QUOTES, 'UTF-8') to $requestedUrl before assigning to template (defense in depth — templates already use |escape, but the raw value was passed in).
  • ShariffBlockPlugin.php: same fix.

Improvement — suppress console error when backend is not installed:

  • ShariffPlugin.php / ShariffBlockPlugin.php: only set $backendUrl when the shariff-backend/ directory actually exists on disk. Previously the attribute was always emitted, causing JSON.parse errors in the browser console when the optional PHP backend was not installed.
  • templates/shariffButtons.tpl: render data-backend-url only when $backendUrl is non-null.

Testing

# XSS fix — must return escaped entities, not a raw quote
curl -sk --path-as-is \
  'https://your-ojs/index.php/journal/article/view/1?x"><script>alert(1)</script>' \
  | grep -o 'data-mail-body="[^"]*"'
# Expected: data-mail-body="...?x&quot;&gt;&lt;script&gt;..."

# Backend fix — attribute must be absent when shariff-backend/ does not exist
curl -sk 'https://your-ojs/index.php/journal/article/view/1' \
  | grep 'data-backend-url'
# Expected: no output

Classification

  • CWE-79: Improper Neutralization of Input During Web Page Generation
  • CWE-116: Improper Encoding or Escaping of Output
  • CAPEC-591: Reflected XSS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GustavoCasiano