douglas_quaid's avatar

Potential security concerns on custom pagination

Hello,

I've extended the LengthAwarePaginator class to allow for multiple parameters of the same name.

http://localhost:8000/api/examples?q=hello&q=test

With LengthAwarePaginator it returns the following for nextPageUrl & prevPageUrl

nextPageUrl: http://localhost:8000/api/examples?q%5B0%5D=hello&q%5B1%5D=test&page=3
prevPageUrl: http://localhost:8000/api/examples?q%5B0%5D=hello&q%5B1%5D=test&page=1

I overrided the member function url() that is on the AbstractPaginator class to this

/**
     * Get the URL for a given page number.
     *
     * @param  int  $page
     * @return string
     */
    public function url($page)
    {
        if ($page <= 0) {
            $page = 1;
        }

        // If we have any extra query string key / value pairs that need to be added
        // onto the URL, we will put them in query string form and then attach it
        // to the URL. This allows for extra information like sortings storage.
        $parameters = [$this->pageName => $page];

        if (count($this->query) > 0) {
            $parameters = array_merge($this->query, $parameters);
        }

        $query = http_build_query($parameters, '', '&');
        $query = preg_replace('/%5B[0-9]+%5D/simU', '', $query);

        return $this->path
                        .(Str::contains($this->path, '?') ? '&' : '?')
                        .$query
                        .$this->buildFragment();
    }

The only thing I changed was the following section with the call to http_build_query()

        $query = http_build_query($parameters, '', '&');
        $query = preg_replace('/%5B[0-9]+%5D/simU', '', $query);

        return $this->path
                        .(Str::contains($this->path, '?') ? '&' : '?')
                        .$query
                        .$this->buildFragment();

Basically, I'm just searching for whenever the query includes the following characters and replaces it with an empty string like so:

%5B0%5D => ''

And eureka! It works, I'm now getting the correct next and prev pages for the paginator.

However, I'm wondering if there are any security concerns with doing this. If I always replace any occurrence of...

%5B0%5D

Am I opening up myself to security holes or XSS attacks?

Thanks for any help you can provide.

0 likes
1 reply
douglas_quaid's avatar

Thoughts? I tested this with some example XSS attacks and all were escaped correctly. Just trying to think of a specific-use case with the above that is no longer caught

Please or to participate in this conversation.