Skip to content

BUGFIX: Prevent XSS attacks by coverting special characters to HTML#99

Merged
bwaidelich merged 1 commit intoneos:mainfrom
mikec655:bugfix/html-special-chars-error-render
Jan 9, 2026
Merged

BUGFIX: Prevent XSS attacks by coverting special characters to HTML#99
bwaidelich merged 1 commit intoneos:mainfrom
mikec655:bugfix/html-special-chars-error-render

Conversation

@mikec655
Copy link
Copy Markdown

@mikec655 mikec655 commented Oct 23, 2025

When a Fusion form is submitted with a field that uses, for example, a regex validator, the value is included in the error message when it does not match the pattern: The given subject did not match the pattern. Got: {value}

If the submitted value contains valid HTML, the HTML is rendered instead of displayed as text in the error message. This introduces a potential XSS vulnerability.

To prevent this, I added String.htmlSpecialChars(...), which ensures that the value is properly escaped and displayed as expected in the error message.

@jonnitto jonnitto requested a review from mficzel October 29, 2025 08:09
@bwaidelich
Copy link
Copy Markdown
Member

bwaidelich commented Jan 9, 2026

I can confirm that this fixes the issue, we should issue a bugfix release soon!

@bwaidelich bwaidelich merged commit 2a40ab5 into neos:main Jan 9, 2026
7 checks passed
@dlubitz
Copy link
Copy Markdown
Contributor

dlubitz commented Jan 9, 2026
edited
Loading

Thank you @mikec655 for this PR.
We should also backport this to 2.3.

This was referenced Jan 9, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jonnitto jonnitto jonnitto approved these changes

@mficzel mficzel Awaiting requested review from mficzel

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mikec655 @bwaidelich @dlubitz @jonnitto