PO-243 changing escaping for attributes #24
Conversation
![semgrep-code-razorpay[bot]](https://avatars.githubusercontent.com/u/7713209?s=60&v=4){kind=small}
| @@ -52,7 +50,7 @@ function razorpay_view_button() | |||
| <div class="col-sm-4 panel-label">Button Status</div> | |||
| <div class="col-sm-8 panel-value"> | |||
| <span class="status-label">' . esc_html($button_detail['status']) . '</span> | |||
| <button onclick="'.$show.'" class="status-button">' . esc_html($button_detail['btn_pointer_status']) . '</button> | |||
| <button onclick="jQuery(\'.overlay\').show()" class="status-button">' . esc_html($button_detail['btn_pointer_status']) . '</button> | |||
| </div> | |||
| </div> | |||
| <div class="row"> | |||
There was a problem hiding this comment.
Echoing user input risks cross-site scripting vulnerability. You should use htmlentities() when showing data to users.
🧹 Fixed in commit 4843f32 🧹
There was a problem hiding this comment.
Semgrep Assistant thinks this might be safe to ignore. The user input is sanitized using 'sanitize_text_field' and 'esc_url', which are appropriate sanitization functions for preventing xss in this context. therefore, the risk of cross-site scripting is mitigated.
AI-generated comment; review carefully.
Leave a 👍 reaction to ignore the finding. Reacting with 👍 or 👎 also provides feedback to improve Assistant's future comments.
| @@ -68,7 +66,7 @@ function razorpay_view_button() | |||
| <div class="col-sm-8 panel-value">' . esc_html($button_detail['created_at']) . '</div> | |||
| </div> | |||
| </div> | |||
| <div class="col-md-7">'.$button_detail['html_content_item'].'</div> | |||
| <div class="col-md-7">'.esc_html($button_detail['html_content_item']).'</div> | |||
| </div> | |||
| </div> | |||
|
|
|||
There was a problem hiding this comment.
Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from $_REQUEST[...]. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with htmlspecialchars or use automatic context-aware escaping with a template engine such as Latte.
View Dataflow Graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>templates/razorpay-button-view-templates.php</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/razorpay/payment-button-elementor-plugin/blob/4843f32657b100d98403c500357382c70f44974d/templates/razorpay-button-view-templates.php#L28 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 28] $_REQUEST['paged']</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/razorpay/payment-button-elementor-plugin/blob/4843f32657b100d98403c500357382c70f44974d/templates/razorpay-button-view-templates.php#L28 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 28] $pagenum</a>"]
v3["<a href=https://github.com/razorpay/payment-button-elementor-plugin/blob/4843f32657b100d98403c500357382c70f44974d/templates/razorpay-button-view-templates.php#L29 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 29] $previous_page_url</a>"]
end
v2 --> v3
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/razorpay/payment-button-elementor-plugin/blob/4843f32657b100d98403c500357382c70f44974d/templates/razorpay-button-view-templates.php#L32 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 32] echo '<div class="wrap"><br> <div class="content-header"><br> <a href="' . esc_url($previous_page_url) . '"><br> <span class="dashicons rzp-dashicons dashicons-arrow-left-alt"></span> Button List<br> </a><br> <span class="dashicons rzp-dashicons dashicons-arrow-right-alt2"></span>'. esc_html($button_detail['title']) . '<br> </div><br> <div class="container rzp-container"><br> <div class="row panel-heading"><br> <div class="text">' . esc_html($button_detail['title']) . '</div><br> </div><br> <div class="row panel-body"><br> <div class="col-md-5 panel-body-left"><br> <div class="row"><br> <div class="col-sm-4 panel-label">Button ID</div><br> <div class="col-sm-8 panel-value">' . esc_html($button_detail["id"]) . '</div><br> </div><br> <div class="row"><br> <div class="col-sm-4 panel-label">Button Status</div><br> <div class="col-sm-8 panel-value"><br> <span class="status-label">' . esc_html($button_detail['status']) . '</span><br> <button onclick="jQuery(\'.overlay\').show()" class="status-button">' . esc_html($button_detail['btn_pointer_status']) . '</button><br> </div><br> </div><br> <div class="row"><br> <div class="col-sm-4 panel-label">Total Quantity Sold</div><br> <div class="col-sm-8 panel-value">' . esc_html($button_detail['total_item_sold']) . '</div><br> </div><br> <div class="row"><br> <div class="col-sm-4 panel-label">Total revenue</div><br> <div class="col-sm-8 panel-value"><span class="rzp-currency">₹ </span>' . esc_html($button_detail['total_revenue']) . '</div><br> </div><br> <div class="row"><br> <div class="col-sm-4 panel-label">Created on</div><br> <div class="col-sm-8 panel-value">' . esc_html($button_detail['created_at']) . '</div><br> </div><br> </div><br> <div class="col-md-7">'.esc_html($button_detail['html_content_item']).'</div><br> </div> <br> </div><br> <br> </div>';</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
⚪️ This finding does not block your pull request.
Ignore this finding from taint-unsafe-echo-tag.
There was a problem hiding this comment.
Semgrep Assistant suggests the following fix: Use htmlspecialchars and esc_url to sanitize dynamic data before outputting it to prevent XSS vulnerabilities.
View step-by-step instructions
-
Use the
htmlspecialcharsfunction to sanitize the output of any dynamic data that is being echoed. This will prevent XSS by converting special characters to HTML entities. -
For each instance of dynamic data within the
echostatement, wrap the variable withhtmlspecialchars. For example, change'.$button_detail['title'].'to'.htmlspecialchars($button_detail['title'], ENT_QUOTES, 'UTF-8').'. -
Repeat the above step for all dynamic variables within the
echostatement:'.$button_detail['id'].'to'.htmlspecialchars($button_detail['id'], ENT_QUOTES, 'UTF-8').''.$button_detail['status'].'to'.htmlspecialchars($button_detail['status'], ENT_QUOTES, 'UTF-8').''.$button_detail['btn_pointer_status'].'to'.htmlspecialchars($button_detail['btn_pointer_status'], ENT_QUOTES, 'UTF-8').''.$button_detail['total_item_sold'].'to'.htmlspecialchars($button_detail['total_item_sold'], ENT_QUOTES, 'UTF-8').''.$button_detail['total_revenue'].'to'.htmlspecialchars($button_detail['total_revenue'], ENT_QUOTES, 'UTF-8').''.$button_detail['created_at'].'to'.htmlspecialchars($button_detail['created_at'], ENT_QUOTES, 'UTF-8').''.$button_detail['html_content_item'].'to'.htmlspecialchars($button_detail['html_content_item'], ENT_QUOTES, 'UTF-8').'
-
For URLs, such as
$previous_page_url, useesc_urlto ensure they are properly sanitized. Change'.$previous_page_url.'to'.esc_url($previous_page_url).'. -
For JavaScript code, ensure that any dynamic data is properly escaped. For example, if
$showor$hidecontains dynamic data, ensure it is sanitized before being used in JavaScript.
By following these steps, you ensure that any user input or dynamic data is properly sanitized before being output to the browser, mitigating the risk of XSS vulnerabilities.
This code change should fix the finding:
| echo '<div class="wrap"> | |
| <div class="content-header"> | |
| <a href="'.esc_url($previous_page_url).'"> | |
| <span class="dashicons rzp-dashicons dashicons-arrow-left-alt"></span> Button List | |
| </a> | |
| <span class="dashicons rzp-dashicons dashicons-arrow-right-alt2"></span>'.htmlspecialchars($button_detail['title'], ENT_QUOTES, 'UTF-8').' | |
| </div> | |
| <div class="container rzp-container"> | |
| <div class="row panel-heading"> | |
| <div class="text">'.htmlspecialchars($button_detail['title'], ENT_QUOTES, 'UTF-8').'</div> | |
| </div> | |
| <div class="row panel-body"> | |
| <div class="col-md-5 panel-body-left"> | |
| <div class="row"> | |
| <div class="col-sm-4 panel-label">Button ID</div> | |
| <div class="col-sm-8 panel-value">'.htmlspecialchars($button_detail["id"], ENT_QUOTES, 'UTF-8').'</div> | |
| </div> | |
| <div class="row"> | |
| <div class="col-sm-4 panel-label">Button Status</div> | |
| <div class="col-sm-8 panel-value"> | |
| <span class="status-label">'.htmlspecialchars($button_detail['status'], ENT_QUOTES, 'UTF-8').'</span> | |
| <button onclick="'.htmlspecialchars($show, ENT_QUOTES, 'UTF-8').'" class="status-button">'.htmlspecialchars($button_detail['btn_pointer_status'], ENT_QUOTES, 'UTF-8').'</button> | |
| </div> | |
| </div> | |
| <div class="row"> | |
| <div class="col-sm-4 panel-label">Total Quantity Sold</div> | |
| <div class="col-sm-8 panel-value">'.htmlspecialchars($button_detail['total_item_sold'], ENT_QUOTES, 'UTF-8').'</div> | |
| </div> | |
| <div class="row"> | |
| <div class="col-sm-4 panel-label">Total revenue</div> | |
| <div class="col-sm-8 panel-value"><span class="rzp-currency">₹ </span>'.htmlspecialchars($button_detail['total_revenue'], ENT_QUOTES, 'UTF-8').'</div> | |
| </div> | |
| <div class="row"> | |
| <div class="col-sm-4 panel-label">Created on</div> | |
| <div class="col-sm-8 panel-value">'.htmlspecialchars($button_detail['created_at'], ENT_QUOTES, 'UTF-8').'</div> | |
| </div> | |
| </div> | |
| <div class="col-md-7">'.htmlspecialchars($button_detail['html_content_item'], ENT_QUOTES, 'UTF-8').'</div> | |
| </div> | |
| </div> | |
| </div>'; |
Leave feedback with a 👍 / 👎. Save a memory with /remember <your custom instructions>.
| @@ -68,7 +66,7 @@ function razorpay_view_button() | |||
| <div class="col-sm-8 panel-value">' . esc_html($button_detail['created_at']) . '</div> | |||
| </div> | |||
| </div> | |||
| <div class="col-md-7">'.$button_detail['html_content_item'].'</div> | |||
| <div class="col-md-7">'.esc_html($button_detail['html_content_item']).'</div> | |||
| </div> | |||
| </div> | |||
|
|
|||
There was a problem hiding this comment.
Echoing user input risks cross-site scripting vulnerability. You should use htmlentities() when showing data to users.
⭐ Fixed in commit 1e5a518 ⭐
There was a problem hiding this comment.
Semgrep Assistant thinks this might be safe to ignore. The user input is sanitized using 'sanitize_text_field' before being used in the 'echo' statement, which mitigates the risk of cross-site scripting (xss) vulnerabilities.
AI-generated comment; review carefully.
Leave a 👍 reaction to ignore the finding. Reacting with 👍 or 👎 also provides feedback to improve Assistant's future comments.
| </div> | ||
| </div> | ||
| <div class="row"> | ||
| <div class="col-sm-4 panel-label">Total Quantity Sold</div> | ||
| <div class="col-sm-8 panel-value">' . htmlentities($button_detail['total_item_sold']) . '</div> | ||
| <div class="col-sm-8 panel-value">' . esc_html($button_detail['total_item_sold']) . '</div> | ||
| </div> | ||
| <div class="row"> | ||
| <div class="col-sm-4 panel-label">Total revenue</div> |
There was a problem hiding this comment.
Echoing user input risks cross-site scripting vulnerability. You should use htmlentities() when showing data to users.
View Dataflow Graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>templates/razorpay-button-view-templates.php</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/razorpay/payment-button-elementor-plugin/blob/1e5a518adbfbe46a517cc8662d101952419fcf42/templates/razorpay-button-view-templates.php#L28 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 28] $_REQUEST</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/razorpay/payment-button-elementor-plugin/blob/1e5a518adbfbe46a517cc8662d101952419fcf42/templates/razorpay-button-view-templates.php#L28 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 28] $pagenum</a>"]
v3["<a href=https://github.com/razorpay/payment-button-elementor-plugin/blob/1e5a518adbfbe46a517cc8662d101952419fcf42/templates/razorpay-button-view-templates.php#L29 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 29] $previous_page_url</a>"]
end
v2 --> v3
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/razorpay/payment-button-elementor-plugin/blob/1e5a518adbfbe46a517cc8662d101952419fcf42/templates/razorpay-button-view-templates.php#L32 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 32] echo '<div class="wrap"><br> <div class="content-header"><br> <a href="' . esc_url($previous_page_url) . '"><br> <span class="dashicons rzp-dashicons dashicons-arrow-left-alt"></span> Button List<br> </a><br> <span class="dashicons rzp-dashicons dashicons-arrow-right-alt2"></span>'. esc_html($button_detail['title']) . '<br> </div><br> <div class="container rzp-container"><br> <div class="row panel-heading"><br> <div class="text">' . esc_html($button_detail['title']) . '</div><br> </div><br> <div class="row panel-body"><br> <div class="col-md-5 panel-body-left"><br> <div class="row"><br> <div class="col-sm-4 panel-label">Button ID</div><br> <div class="col-sm-8 panel-value">' . esc_html($button_detail["id"]) . '</div><br> </div><br> <div class="row"><br> <div class="col-sm-4 panel-label">Button Status</div><br> <div class="col-sm-8 panel-value"><br> <span class="status-label">' . esc_html($button_detail['status']) . '</span><br> <button onclick="jQuery(\'.overlay\').show()" class="status-button">' . esc_html($button_detail['btn_pointer_status']) . '</button><br> </div><br> </div><br> <div class="row"><br> <div class="col-sm-4 panel-label">Total Quantity Sold</div><br> <div class="col-sm-8 panel-value">' . esc_html($button_detail['total_item_sold']) . '</div><br> </div><br> <div class="row"><br> <div class="col-sm-4 panel-label">Total revenue</div><br> <div class="col-sm-8 panel-value"><span class="rzp-currency">₹ </span>' . esc_html($button_detail['total_revenue']) . '</div><br> </div><br> <div class="row"><br> <div class="col-sm-4 panel-label">Created on</div><br> <div class="col-sm-8 panel-value">' . esc_html($button_detail['created_at']) . '</div><br> </div><br> </div><br> <div class="col-md-7">'.$button_detail['html_content_item'].'</div><br> </div> <br> </div><br> <br> </div>';</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
</div>');
<sub>⚪️ This finding does not block your pull request.
</sub><br/><sub>
<a href="https://semgrep.dev/docs/ignoring-files-folders-code">Ignore this finding</a> from <a href="https://semgrep.dev/playground/r/RGTKGXN/php.lang.security.injection.echoed-request.echoed-request?utm_campaign=finding_notification&utm_medium=review_comment&utm_source=github&utm_content=rule">echoed-request</a>.
</sub>
<!--
🤫 WELCOME TO SECRET SEMGREP! 🤫
This information is for debugging purposes and does not appear in rendered PR comments.
Finding id: 106164589
Syntactic id: 810ad2058996f77fa9a7c1b99c59bf60
Start line: 32,9
End line: 73,17
Index: 0
-->
There was a problem hiding this comment.
Semgrep Assistant thinks this might be safe to ignore. The user input is sanitized using 'sanitize_text_field' and 'esc_url', which are appropriate sanitization functions for this context, mitigating the risk of cross-site scripting.
AI-generated comment; review carefully.
Leave a 👍 reaction to ignore the finding. Reacting with 👍 or 👎 also provides feedback to improve Assistant's future comments.
No description provided.