pfSense

The problem occurs, when a user enters a single quote (') into an input field, saves and then edits again.
Then the input is truncated at the first single quote.

I noticed the problem with the Filer package using Diagnostics / Filer / Edit, but the issue might apply to other packages as well. In this package single quotes can be useful in the script field.

The problem is caused by a missing HTML entity encoding of single quotes in <input value='...'>. This can be verified viewing the HTML source in the browser. It will show e.g. <input value='echo 'hi''> when the user has entered echo 'hi'.

The bug allows cross site scripting (XSS), which can be verified, e.g. by entering the following in the above scenario:

' onfocus='alert(1)

The attached patch fixes the problem by replacing

htmlspecialchars($value)

with

htmlspecialchars($value, ENT_QUOTES)

in a number of places. Background: htmlspecialchars encodes by default only double quotes, with ENT_QUOTES it encodes double and single quotes.