I customized a web form for training purposes using the following text in the configuration form of the “backend” aka “admin interface” aka Desk:
Thank you for entering this flight contract with our crazy airplane maintenance crew! If by chance you ever arrive at your destination airport, don't forget to buy some alcohol for the flight crew. No risk, no fun! #flight-and-fun-with-crazy-maintenance
But on the web form it shows as this:
Thank you for entering this flight contract with our crazy airplane maintenance crew! If by chance you ever arrive at your destination airport, don\'t forget to buy some alcohol for the flight crew. No risk, no fun! #flight-and-fun-with-crazy-maintenance Click here if you are not redirected within 3 seconds
Did you notice the difference?
Hint: It’s not the text at the end.
Second hint: it’s a slash.
The slash in don’t vs. don\'t. (Here in this line of the post I added a second slash so that it appears as a simple slash in this second hint. This means that if I put just a single slash here in the text, it disappears/doesn’t show in the preview windows to the right, which in itself is a similar bug in the forum software. Note that in the code sections above I didn’t need to enter two slashes for it to appear once. The the format used in a posting makes a difference for the appearance. Any pentester needs to accound for that.)
So it’s an issue of encoding done wrong. The slash should be removed resp. correctly encoded, and not appear to the user, so that everything appears just as it was entered in the configuration form. In other words, it should appear to the user exactly as it was entered into the configuration form by the form builder person. (Or in this forum as it was entered. If with slash or without slash, because, for instance, in this explainer I need both. In other words, this forum also has a defect, which can hinder communication, or worse, e.g. see what follows.)
This may not be a “oh this is just a minor glitch” thing. I didn’t analyze this in depth, so what follows is speculative, but this kind of misencoding is what, if in a case where SQL were involved, might open the door to an LPE, or so. And this is an issue in a web form. I found it on the configuration-form-to-DB-to-web path, but who knows if something similar also happens in the direction web-to-DB of the same Web Form software snippets? Then we’d be talking about remote triggering by whatever slips through the encoding impedance mismatches.
Version: This is with a dev frappeframework updated yesterday, after the correction of the cache/nocache bug, which it doesn’t have any more.
Regarding the text at the end, I’m missing a field do configure the display duration of the custom success page, like “0 = keep it there”, in this case allow for a link/button with configurable text to some other configurable destination,or “x seconds”, and in this case also allow for a configurable button/link text and destination.