Possible XSS in Paginator Helper (limitControl() method)

[phpcss-ankue]

Description

During a recent pentest on one of our CakePHP apps we found that using the limit control creates unescaped hidden controls in the limit form. Neither the keys nor the values of existing query params are escaped. When using a query string such as '?limit=100&g2znn"><script>alert(1)<%2fscript>g0yjd=1%20HTTP/1.1' JavaScript may be injected into the limit control form. I think it would be beneficial to at least offer an escape parameter/option for this method or rather the possibility to determine the exact query params (escaped) to be included in the limit control form. Also, casting the limit query param value as int would be beneficial in limitControl() method to prevent XSS injections.

CakePHP Version

5.2.10

PHP Version

8.4.16

[markstory]

How did you call limitControl()? I tried reproducing this and was unable.

<?= $this->Paginator->limitControl() ?>

Generated this HTML

 <form method="get" accept-charset="utf-8" action="/articles?limit=100&amp;g2znn%22%3E%3Cscript%3Ealert(1)%3C/script%3Eg0yjd=1%20HTTP/1.1"><div class="input select"><label for="limit">View</label><select name="limit" onChange="this.form.submit()" id="limit"><option value="20">20</option><option value="50">50</option><option value="100" selected="selected">100</option></select></div></form>

as you can see the HTML characters have been percent encoded.