Skip to content

Patched XSS vulnerablity#263

Open
jacobd91 wants to merge 5 commits intomasterfrom
ENG7-1407-xss-vul
Open

Patched XSS vulnerablity#263
jacobd91 wants to merge 5 commits intomasterfrom
ENG7-1407-xss-vul

Conversation

@jacobd91
Copy link
Contributor

@jacobd91 jacobd91 commented Feb 27, 2026
edited by cssjoe
Loading

https://imh-internal.atlassian.net/browse/ENG7-1407

Manual Testing Guide

Prerequisites

  1. A WordPress install with weForms active
  2. A weForms form containing a Hidden Field (note its meta
    key name)
  3. A page with the form shortcode (e.g. [weforms id="172"])
  4. A Subscriber-level user account with an Application
    Password (WP Admin → Users → Edit User → Application
    Passwords)
  5. Note the form ID and page ID

Step 1 — Get a WPUF nonce

curl -s -u 'SUBSCRIBER_USER:APP_PASSWORD' "https://yoursite.com/wp-json/wp/v2/pages/PAGE_ID"  | grep -o 'value="[a-f0-9]*"' | head -1

Copy the nonce value from the output.

Step 2 — Submit an XSS payload via REST API

curl -s -X POST -u 'SUBSCRIBER_USER:APP_PASSWORD' -d '_wpnonce=NONCE&hidden_test=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E&name%5Bfirst%5D=Test&name%5Blast%5D=User&email=test%40test.com&message=test+message&form_id=FORM_ID' "https://yoursite.com/wp-json/weforms/v1/forms/FORM_ID/entries/"

Expected response (patched): the hidden_test value in the
response data should be ">" — the tag stripped.

Expected response (unpatched): the full payload "> appears unsanitized.

Step 3 — Verify no XSS in the entries list

Log in as admin and navigate to weForms → (your form) →
Entries.

  • Patched: no alert() dialog; hidden field column shows ">
    as plain text
  • Unpatched: alert() fires on page load

Step 4 — Verify no XSS in the entry detail view

Click Details on the entry submitted in Step 2.

  • Patched: hidden field value shows as escaped text ">; no
    dialog
  • Unpatched: alert() fires

Step 5 — Verify textarea display is unaffected

Submit a normal entry through the front-end form (or via
the same curl command with a clean message value). Open the
entry detail view.

  • Patched: the Message field renders its content normally
    (paragraph-wrapped text displays as formatted text, not as
    escaped <p> tags)

Step 6 — Verify normal hidden field values are unaffected

Submit with a clean hidden field value:

curl -s -X POST -u 'SUBSCRIBER_USER:APP_PASSWORD' -d '_wpnonce=NONCE&hidden_test=my-tracking-value&name%5Bfirst%5D=Test&name%5Blast%5D=User&email=test%40test.com&message=test+message&form_id=FORM_ID' "https://yoursite.com/wp-json/weforms/v1/forms/FORM_ID/entries/"

Expected: hidden_test stored and displayed as
my-tracking-value with no truncation or mangling.

@jacobd91 jacobd91 requested review from Copilot and cssjoe February 27, 2026 18:11
@jacobd91 jacobd91 self-assigned this Feb 27, 2026
@jacobd91 jacobd91 marked this pull request as draft February 27, 2026 18:11
@jacobd91 jacobd91 marked this pull request as ready for review February 27, 2026 18:20
Copilot AI reviewed Feb 27, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses an XSS vector in weForms entry handling by sanitizing stored entry values (notably for hidden fields submitted via the REST API) and by removing unsafe HTML rendering in the admin SPA entry list/detail UI.

Changes:

  • Sanitize scalar entry values in the default prepare_entry() flow to prevent unsanitized hidden-field payloads submitted via REST.
  • Replace v-html rendering with Vue’s escaped interpolation for entry list/table cells.
  • Restrict v-html usage in the entry single/detail view to textarea fields (and keep existing special cases like address).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
includes/fields/class-abstract-fields.php Sanitizes default scalar entry values during entry preparation (impacts hidden field REST submissions).
assets/spa/components/form-entry-single/template.php Adjusts entry-detail rendering to avoid v-html for most field types, limiting raw HTML rendering to textarea.
assets/js-templates/spa-components.php Updates generated SPA templates to escape entry field values in list/detail views instead of rendering raw HTML.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cssjoe cssjoe requested a review from Copilot March 2, 2026 20:05
Copilot AI reviewed Mar 2, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

jacobd91 and others added 2 commits March 2, 2026 21:08
@jacobd91 @claude
Fix PHP warnings for undefined array keys
8cace47 
- Remove dead $org_field assignment in get_changed_fields() that triggered
  "Undefined array key 'original_name'" before the existing empty() guard
- Add empty() check on wpuf_cond before dereferencing condition_status to
  fix "Trying to access array offset on null" when a field has no cond logic

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jacobd91
Addressed feedback
114c8d5
@cssjoe cssjoe requested a review from Copilot March 2, 2026 21:56
Copilot AI reviewed Mar 2, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

includes/class-form-entry.php
Comment on lines 376 to +380
if ( isset( $_REQUEST['action'] ) != 'weforms_pdf_download' ) {
$url = content_url() . '/' . $value;
$url = esc_url( content_url() . '/' . $value );
$value = sprintf( '<img src="%s">', $url );
$value .= sprintf( '<a style="margin-left: -200px" href="%s">Download</a>', $url );
}
else{
} else {
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the signature_field rendering, the condition isset( $_REQUEST['action'] ) != 'weforms_pdf_download' compares a boolean to a string, so it will always evaluate true and the else branch is effectively unreachable. This can break the intended PDF-download behavior and URL handling. Compare the actual action value (and handle missing action) instead of using isset() in the comparison.

Copilot uses AI. Check for mistakes.
includes/class-form-entry.php
$full_size = wp_get_attachment_url( $attachment_id );
$full_size = esc_url( wp_get_attachment_url( $attachment_id ) );

$file_field .= sprintf( '<a href="%s" target="_blank">%s</a> ', $full_size, $thumb );
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The generated file links use target="_blank" without a rel attribute. Add rel="noopener noreferrer" to prevent reverse-tabnabbing when admins click uploaded file links.

Suggested change
$file_field .= sprintf( '<a href="%s" target="_blank">%s</a> ', $full_size, $thumb );
$file_field .= sprintf( '<a href="%s" target="_blank" rel="noopener noreferrer">%s</a> ', $full_size, $thumb );

Copilot uses AI. Check for mistakes.
assets/js-templates/spa-components.php
<div v-else-if="field.type === 'address_field'" v-html="getAddressFieldValue( field.value)"></div>
<div v-else v-html="field.value"></div>
<div v-else-if="field.type === 'textarea_field'" v-html="field.value"></div>
<div v-else-if="field.type === 'image_upload' || field.type === 'file_upload' || field.type === 'signature_field' || field.type === 'checkbox_grid' || field.type === 'multiple_choice_grid'" v-html="field.value"></div>
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This template now escapes the default field renderer ({{ field.value }}), which means field types that return HTML formatting from the backend (e.g. multiple_product values built with <br> separators) will render with visible tags. If those types are meant to be formatted, they should be explicitly allowlisted for v-html and their backend values should be sanitized (e.g. wp_kses_post) before being returned to the SPA.

Suggested change
<div v-else-if="field.type === 'image_upload' || field.type === 'file_upload' || field.type === 'signature_field' || field.type === 'checkbox_grid' || field.type === 'multiple_choice_grid'" v-html="field.value"></div>
<div v-else-if="field.type === 'image_upload' || field.type === 'file_upload' || field.type === 'signature_field' || field.type === 'checkbox_grid' || field.type === 'multiple_choice_grid'" v-html="field.value"></div>
<div v-else-if="field.type === 'multiple_product'" v-html="field.value"></div>

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cssjoe cssjoe Awaiting requested review from cssjoe

At least 1 approving review is required to merge this pull request.

Assignees

@jacobd91 jacobd91

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jacobd91