Laravel 5.1 security

PHP
1

Hi,

I created something like below. If I enter alert("security flaw!!!!!") between script tags in my input, I get the javascript alert on my browser. Is it normal or is there something missing in my snippet? I just started learning Laravel.

routes.php

Route::post('settings/generalsettings/changedata', 'UserSettingsController@changeData');

usetSettingsController.php

namespace App\Http\Controllers;

use App\User;
use App\Http\Controllers\Controller;
use Input;

class UserSettingsController extends Controller
{
public function changeData()
    {
        $variable = Input::get('name99');
        echo $variable;

    }

}

generalSettings.blade.php

<!DOCTYPE html>
<html>
<head>
    <title></title>
    <meta charset="utf-8">
    <link rel="stylesheet" href=""/>
    <meta name="csrf-token" content="{{ csrf_token() }}">
</head>
<body>
    <input id="name" type="text" placeholder="Enter your name">
    <input type="submit" id="sub">
    <div id="result"></div>
    <script src="/js/jquery-2.1.4.js"></script>

    <script type="text/javascript">
        $(document).ready(function () {
            // set up jQuery with the CSRF token, or else post routes will fail
            $.ajaxSetup({
                headers: {
                    'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
                }
            });            // handlers
            $("#sub").click(function (y) {
                y.preventDefault();
                var user_name = $('#name').val();
                $.post(
                        "/settings/generalsettings/changedata",
                        {
                            name99: user_name
                        },
                        function (data) {
                            $('#result').hide().html(data).fadeIn(2000);
                        });
            });
        });
    </script>
</body>
</html>
2

That’s nothing to do with Laravel specifically. It’s important never to trust user input for exactly this reason, so you don’t want to output anything that has come from the user without sanitizing it first. If you use Blade (the template system that comes with Laravel) it automatically escapes your output for you, otherwise take a look at this section on data filtering on phptherightway.com

1 Like
3

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.