Patched XSS vulnerablity

[jacobd91]

Manual Testing Guide

Prerequisites

1. A WordPress install with weForms active
2. A weForms form containing a Hidden Field (note its meta
   key name)
3. A page with the form shortcode (e.g. [weforms id="172"])
4. A Subscriber-level user account with an Application
   Password (WP Admin → Users → Edit User → Application
   Passwords)
5. Note the form ID and page ID

---

Step 1 — Get a WPUF nonce

curl -s -u 'SUBSCRIBER_USER:APP_PASSWORD'
"https://yoursite.com/wp-json/wp/v2/pages/PAGE_ID"
| grep -o 'value="[a-f0-9]*"' | head -1

Copy the nonce value from the output.

---

Step 2 — Submit an XSS payload via REST API

curl -s -X POST -u 'SUBSCRIBER_USER:APP_PASSWORD'
-d '_wpnonce=NONCE&hidden_test=%22%3E%3Cimg+src%3Dx+onerr
or%3Dalert%28document.cookie%29%3E&name%5Bfirst%5D=Test&nam
e%5Blast%5D=User&email=test%40test.com&message=test+message
&form_id=FORM_ID'
"https://yoursite.com/wp-json/weforms/v1/forms/FORM_ID/en
tries/"

Expected response (patched): the hidden_test value in the
response data should be ">" — the tag stripped.

Expected response (unpatched): the full payload "> appears unsanitized.

---

Step 3 — Verify no XSS in the entries list

Log in as admin and navigate to weForms → (your form) →
Entries.

• Patched: no alert() dialog; hidden field column shows ">
  as plain text
• Unpatched: alert() fires on page load

---

Step 4 — Verify no XSS in the entry detail view

Click Details on the entry submitted in Step 2.

• Patched: hidden field value shows as escaped text ">; no
  dialog
• Unpatched: alert() fires

---

Step 5 — Verify textarea display is unaffected

Submit a normal entry through the front-end form (or via
the same curl command with a clean message value). Open the
entry detail view.

• Patched: the Message field renders its content normally
  (paragraph-wrapped text displays as formatted text, not as
  escaped <p> tags)

---

Step 6 — Verify normal hidden field values are unaffected

Submit with a clean hidden field value:

curl -s -X POST -u 'SUBSCRIBER_USER:APP_PASSWORD'
-d '_wpnonce=NONCE&hidden_test=my-tracking-value&name%5Bf
irst%5D=Test&name%5Blast%5D=User&email=test%40test.com&mess
age=test+message&form_id=FORM_ID'
"https://yoursite.com/wp-json/weforms/v1/forms/FORM_ID/en
tries/"

Expected: hidden_test stored and displayed as
my-tracking-value with no truncation or mangling.

[Copilot]

Pull request overview

This PR addresses an XSS vector in weForms entry handling by sanitizing stored entry values (notably for hidden fields submitted via the REST API) and by removing unsafe HTML rendering in the admin SPA entry list/detail UI.

Changes:

• Sanitize scalar entry values in the default prepare_entry() flow to prevent unsanitized hidden-field payloads submitted via REST.
• Replace v-html rendering with Vue’s escaped interpolation for entry list/table cells.
• Restrict v-html usage in the entry single/detail view to textarea fields (and keep existing special cases like address).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
includes/fields/class-abstract-fields.php	Sanitizes default scalar entry values during entry preparation (impacts hidden field REST submissions).
assets/spa/components/form-entry-single/template.php	Adjusts entry-detail rendering to avoid v-html for most field types, limiting raw HTML rendering to textarea.
assets/js-templates/spa-components.php	Updates generated SPA templates to escape entry field values in list/detail views instead of rendering raw HTML.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The SPA table template in this generated file is now escaping entry.fields[index], but the source Vue template (assets/spa/components/component-table/template.php) still uses v-html for the same cells. That mismatch is likely to reintroduce the XSS if assets/templates are regenerated from source; update the source template to keep them consistent.

[Copilot]

Same as above: this second table row template now escapes entry.fields[index], but the corresponding source template (assets/spa/components/component-table/template.php) still renders it with v-html. Please update the source template as well so a rebuild doesn’t reintroduce the XSS.

[Copilot]

The fallback renderer now uses {{ field.value }} for all non-textarea fields. Several entry field types are prepared server-side as HTML strings (e.g., file/image uploads as <a> links, signature fields as <img>, some grid fields as HTML tables), so this change will cause those fields to display escaped HTML markup in the entry detail view. Consider adding explicit handling for those HTML-producing field types (or changing the API to return structured data/plain text and render it safely) so their display doesn’t regress while still avoiding XSS.

Suggested change

	<div v-else-if="field.type === 'textarea_field'" v-html="field.value"></div>
	<div v-else-if="field.type === 'textarea_field'" v-html="field.value"></div>
	<div
	v-else-if="
	field.type === 'file_upload' ||
	field.type === 'image_upload' ||
	field.type === 'signature_field' ||
	field.type === 'repeat_field' ||
	field.type === 'grid_field'
	"
	v-html="field.value">
	</div>

[Copilot]

The entry-detail template now escapes field.value for all non-textarea fields. Backend entry rendering produces HTML strings for some field types (e.g., file/image uploads, signature fields, grid fields), so those will now show up as escaped markup instead of rendered content in the entry detail view. Either add explicit v-html handling for the specific safe HTML-producing types (with server-side escaping/kses), or refactor the API to return structured data and render it without v-html.

Suggested change

	<div v-else-if="field.type === 'textarea_field'" v-html="field.value"></div>
	<div v-else-if="field.type === 'textarea_field'" v-html="field.value"></div>
	<div v-else-if="field.type === 'file_upload' || field.type === 'image_upload' || field.type === 'signature' || field.type === 'grid'" v-html="field.value"></div>