Security concerns for using safe with msg of flash in core components?

Note the use of {:safe, msg}.

<p class="mt-2 text-sm leading-5"><%= {:safe, msg} %></p>


def flash(assigns) do
      :if={msg = render_slot(@inner_block) || Phoenix.Flash.get(@flash, @kind)}
      phx-click={JS.push("lv:clear-flash", value: %{key: @kind}) |> hide("##{@id}")}
        "fixed top-2 right-2 w-80 sm:w-96 z-50 rounded-lg p-3 shadow-md shadow-zinc-900/5 dark:shadow-zinc-100/5 ring-1",
        @kind == :info && "bg-emerald-50 text-emerald-800 ring-emerald-500 fill-cyan-900",
        @kind == :error && "bg-rose-50 text-rose-900 shadow-md ring-rose-500 fill-rose-900"
      <p :if={@title} class="flex items-center gap-1.5 text-sm font-semibold leading-6">
        <.icon :if={@kind == :info} name="hero-information-circle-mini" class="h-4 w-4" />
        <.icon :if={@kind == :error} name="hero-exclamation-circle-mini" class="h-4 w-4" />
        <%= @title %>
      <p class="mt-2 text-sm leading-5"><%= {:safe, msg} %></p>
      <button type="button" class="group absolute top-1 right-1 p-2" aria-label={gettext("close")}>
        <.icon name="hero-x-mark-solid" class="h-5 w-5 opacity-40 group-hover:opacity-70" />

This allows for basic html in the flash msg.

             |> put_flash(:info, "Post updated successfully <a href='/asdf'>Some Foobar Seen here</a>")
             |> push_patch(to: path)}

Is there any security concerns if my code is the only thing controlling that string? Also I’m mostly working from a vanilla generated block of code is it worth a PR? In other words why don’t we inherently trust our flash string?

If that string is 100% controlled by your app then no.

If there is ANY possibility that it includes user provided data or external data from another system, or data loaded from the db that was previously submitted by a user or other entity and was not previsouly sanitized to be html safe, then yes, absolutely, you now have a cross site scripting vulnerability.

Here is the relevant OWASP guidance.

1 Like