ZF-8029: Script injection using the 'default' route

Issue Type: Bug Created: 2009-10-07T10:51:43.000+0000 Last Updated: 2009-10-15T10:25:42.000+0000 Status: Resolved Fix version(s): - 1.9.5 (27/Oct/09)

Reporter: Kristopher Kelly (kbkelly) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Controller

Related issues: Attachments:


When assembling URLs with $encode = true and using the default route, for instance a URL like controller/action/paramName/paramValue, the Zend_Controller_Router_Route_Module class urlencode's 'controller', 'action' and 'paramValue', but not 'paramName'.

This allows for an attack vector where HTML is injected into the 'paramName' segment of the URL. For example, the default route will parse the following URL:


Into the following request:

'controller' => 'foo' 'action' => 'bar' '">

If you then use the default route to construct a URL in the foo/bar view (with $reset = false), it will display this way:


Looks like script injection to me. This particular instance doesn't do the alert because the closing script tag is malformed (properly encoded). The obvious workaround for this is to additionally escape the resulting URL with htmlspecialchars(), but that requirement didn't seem intuitive given that the URL was already supposed to be encoded.

So, is this a bug or expected behavior for some other reason?


Posted by Matthew Weier O'Phinney (matthew) on 2009-10-15T10:25:42.000+0000

Fixed in trunk and 1.9 release branch.

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.