Skip to content

Fix stored XSS via CSV Import (CVE-2023-24686)#7674

Merged
DawoudIO merged 1 commit intomasterfrom
fix/CVE-2023-24686-csv-import-xss
Nov 30, 2025
Merged

Fix stored XSS via CSV Import (CVE-2023-24686)#7674
DawoudIO merged 1 commit intomasterfrom
fix/CVE-2023-24686-csv-import-xss

Conversation

@DawoudIO
Copy link
Contributor

@DawoudIO DawoudIO commented Nov 30, 2025
edited
Loading

What Changed

Add strip_tags() sanitization to all string fields imported from CSV:

  • Person fields: Title, FirstName, MiddleName, LastName, Suffix, Email, WorkEmail
  • Address fields: Address1, Address2, City, State, Zip
  • Custom fields: Family and Person custom field data

This prevents XSS payloads from being stored in the database when importing malicious CSV files.

Fixes #6442

Type

  • ✨ Feature
  • 🐛 Bug fix
  • ♻️ Refactor
  • 🏗️ Build/Infrastructure
  • 🔒 Security

Testing

Screenshots

Security Check

  • Introduces new input validation
  • Modifies authentication/authorization
  • Affects data privacy/GDPR

Code Quality

  • Database: Propel ORM only, no raw SQL
  • No deprecated attributes (align, valign, nowrap, border, cellpadding, cellspacing, bgcolor)
  • Bootstrap CSS classes used
  • All CSS bundled via webpack

Pre-Merge

  • Tested locally
  • No new warnings
  • Build passes
  • Backward compatible (or migration documented)

@DawoudIO
Fix stored XSS via CSV Import (CVE-2023-24686)
45ab1f5 
Add strip_tags() sanitization to all string fields imported from CSV:
- Person fields: Title, FirstName, MiddleName, LastName, Suffix, Email, WorkEmail
- Address fields: Address1, Address2, City, State, Zip
- Custom fields: Family and Person custom field data

This prevents XSS payloads from being stored in the database when
importing malicious CSV files.
@DawoudIO DawoudIO requested a review from a team as a code owner November 30, 2025 00:03
@DawoudIO DawoudIO requested review from DAcodedBEAT, MrClever, bigtigerku, Copilot, grayeul and respencer and removed request for a team and Copilot November 30, 2025 00:03
@DawoudIO DawoudIO added this to the 6.3.0 milestone Nov 30, 2025
@DawoudIO DawoudIO merged commit eea41e5 into master Nov 30, 2025
7 checks passed
@DawoudIO DawoudIO deleted the fix/CVE-2023-24686-csv-import-xss branch November 30, 2025 00:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@respencer respencer Awaiting requested review from respencer respencer is a code owner automatically assigned from ChurchCRM/developers

@grayeul grayeul Awaiting requested review from grayeul grayeul is a code owner automatically assigned from ChurchCRM/developers

@DAcodedBEAT DAcodedBEAT Awaiting requested review from DAcodedBEAT DAcodedBEAT is a code owner automatically assigned from ChurchCRM/developers

@MrClever MrClever Awaiting requested review from MrClever MrClever is a code owner automatically assigned from ChurchCRM/developers

@bigtigerku bigtigerku Awaiting requested review from bigtigerku bigtigerku is a code owner automatically assigned from ChurchCRM/developers

Assignees

No one assigned

Labels

Security

Projects

None yet

Milestone

6.3.0

Development

Successfully merging this pull request may close these issues.

1 participant

@DawoudIO