Skip to content

Patched XSS vulnerablity #263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jacobd91 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Patched XSS vulnerablity #263

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b143402
Patched XSS vulnerablity
jacobd91 Feb 27, 2026
bdd94ba
Updated version numbers and changelog
jacobd91 Feb 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions assets/js-templates/spa-components.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@
<th scope="row" class="check-column">
<input type="checkbox" name="post[]" v-model="checkedItems" :value="entry.id">
</th>
<td v-for="(header, index) in columns"><span v-html="entry.fields[index]"></span></td>
<td v-for="(header, index) in columns"><span>{{ entry.fields[index] }}</span></td>
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The SPA table template in this generated file is now escaping entry.fields[index], but the source Vue template (assets/spa/components/component-table/template.php) still uses v-html for the same cells. That mismatch is likely to reintroduce the XSS if assets/templates are regenerated from source; update the source template to keep them consistent.

Copilot uses AI. Check for mistakes.
<th class="col-entry-details">
<template v-if="status == 'trash'">
<a href="#" @click.prevent="restore(entry.id)"><?php esc_html_e( 'Restore', 'weforms' ); ?></a>
Expand All @@ -96,7 +96,7 @@
<th scope="row" class="check-column">
<input type="checkbox" name="post[]" v-model="checkedItems" :value="entry.id">
</th>
<td v-for="(header, index) in columns"><span v-html="entry.fields[index]"></span></td>
<td v-for="(header, index) in columns"><span>{{ entry.fields[index] }}</span></td>
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above: this second table row template now escapes entry.fields[index], but the corresponding source template (assets/spa/components/component-table/template.php) still renders it with v-html. Please update the source template as well so a rebuild doesn’t reintroduce the XSS.

Copilot uses AI. Check for mistakes.
<th class="col-entry-details">
<template v-if="status == 'trash'">
<a href="#" @click.prevent="restore(entry.id)"><?php esc_html_e( 'Restore', 'weforms' ); ?></a>
Expand Down Expand Up @@ -425,7 +425,8 @@
</div>
<div v-else-if="field.type === 'country_list_field'">{{ getCountryName( field.value ) }}</div>
<div v-else-if="field.type === 'address_field'" v-html="getAddressFieldValue( field.value)"></div>
<div v-else v-html="field.value"></div>
<div v-else-if="field.type === 'textarea_field'" v-html="field.value"></div>
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The entry-detail template now escapes field.value for all non-textarea fields. Backend entry rendering produces HTML strings for some field types (e.g., file/image uploads, signature fields, grid fields), so those will now show up as escaped markup instead of rendered content in the entry detail view. Either add explicit v-html handling for the specific safe HTML-producing types (with server-side escaping/kses), or refactor the API to return structured data and render it without v-html.

Suggested change
<div v-else-if="field.type === 'textarea_field'" v-html="field.value"></div>
<div v-else-if="field.type === 'textarea_field'" v-html="field.value"></div>
<div v-else-if="field.type === 'file_upload' || field.type === 'image_upload' || field.type === 'signature' || field.type === 'grid'" v-html="field.value"></div>

Copilot uses AI. Check for mistakes.
<div v-else>{{ field.value }}</div>
</td>
</tr>
</template>
Expand Down
3 changes: 2 additions & 1 deletion assets/spa/components/form-entry-single/template.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,8 @@
</div>
<div v-else-if="field.type === 'country_list_field'">{{ getCountryName( field.value ) }}</div>
<div v-else-if="field.type === 'address_field'" v-html="getAddressFieldValue( field.value)"></div>
<div v-else v-html="field.value"></div>
<div v-else-if="field.type === 'textarea_field'" v-html="field.value"></div>
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fallback renderer now uses {{ field.value }} for all non-textarea fields. Several entry field types are prepared server-side as HTML strings (e.g., file/image uploads as <a> links, signature fields as <img>, some grid fields as HTML tables), so this change will cause those fields to display escaped HTML markup in the entry detail view. Consider adding explicit handling for those HTML-producing field types (or changing the API to return structured data/plain text and render it safely) so their display doesn’t regress while still avoiding XSS.

Suggested change
<div v-else-if="field.type === 'textarea_field'" v-html="field.value"></div>
<div v-else-if="field.type === 'textarea_field'" v-html="field.value"></div>
<div
v-else-if="
field.type === 'file_upload' ||
field.type === 'image_upload' ||
field.type === 'signature_field' ||
field.type === 'repeat_field' ||
field.type === 'grid_field'
"
v-html="field.value">
</div>

Copilot uses AI. Check for mistakes.
<div v-else>{{ field.value }}</div>
</td>
</tr>
</template>
Expand Down
2 changes: 1 addition & 1 deletion includes/fields/class-abstract-fields.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -545,7 +545,7 @@ public function prepare_entry( $field, $args = [] ) {
if ( is_array( $value ) ) {
$entry_value = implode( WeForms::$field_separator, $args[$field['name']] );
} else {
$entry_value = trim( $value );
$entry_value = sanitize_textarea_field( trim( $value ) );
}

return $entry_value;
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "weForms",
"author": "BoldGrid",
"version": "1.6.27",
"version": "1.6.28",
"license": "GPL-2.0",
"repository": {
"type": "git",
Expand Down
8 changes: 7 additions & 1 deletion readme.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ Tags: form builder, contact form, forms, form creator, custom form
Requires at least: 5.0
Requires PHP: 7.2.5
Tested up to: 6.9
Stable tag: 1.6.27
Stable tag: 1.6.28
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Expand Down Expand Up @@ -240,6 +240,12 @@ Please report security bugs found in the source code of the undefined plugin thr

== Changelog ==

= Version 1.6.28 ( 27 February, 2026 ) =
* Security: Patched stored XSS vulnerability in form entry fields.

= Version 1.6.27 ( 09 February, 2026 ) =
* Security: Patched object injection vulnerability.

= Version 1.6.26 ( 17 December, 2025 ) =
* Fix: Added extra validation for form uploads.

Expand Down
4 changes: 2 additions & 2 deletions weforms.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
* Plugin URI: https://weformspro.com/
* Author: weForms
* Author URI: https://weformspro.com/
* Version: 1.6.27
* Version: 1.6.28
* License: GPL2 or later
* License URI: https://www.gnu.org/licenses/gpl-2.0.html
* Text Domain: weforms
Expand Down Expand Up @@ -55,7 +55,7 @@ final class WeForms {
*
* @var string
*/
public $version = '1.6.27';
public $version = '1.6.28';

/**
* Form field value seperator
Expand Down