Skip to content

Reflective XSS via incomplete return URL sanitization

Low
angrybrad published GHSA-fvwq-45qv-xvhv Mar 9, 2026

Package

composer craftcms/cms (Composer)

Affected versions

>= 4.15.3, <= 4.17.2
>= 5.7.5, <= 5.9.6

Patched versions

4.17.3
5.9.7

Description

Summary

The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute.

Details

The patched code in is:

public function setReturnUrl($url): void
{
    parent::setReturnUrl(strip_tags($url));
}

strip_tags() removes HTML tags (e.g., <script>, <img>) from a string, but it is not a URL sanitizer. When the sanitized return URL is subsequently rendered in an href attribute context (e.g., <a href="{{ returnUrl }}">), the following dangerous payloads survive strip_tags() completely unmodified:

  1. javascript: protocol URLs -- javascript:alert(document.cookie) contains no HTML tags, so strip_tags() returns it verbatim. When placed in an href, clicking the link executes the JavaScript.

  2. data: URIs -- data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg== uses Base64 encoding and contains no tags at all, bypassing strip_tags() entirely.

  3. Protocol-relative URLs -- //evil.com/steal contains no tags and is passed through unchanged. When rendered as an href, the browser resolves it relative to the current page’s protocol, redirecting the user to an attacker-controlled domain.

The core issue is that strip_tags() operates on HTML syntax (angle brackets) while the threat model here requires URL scheme validation. These are fundamentally different security concerns.

Impact

Reflected XSS via crafted return URL. An attacker constructs a malicious link such as https://target.example.com/craft/?returnUrl=javascript:alert(document.cookie) and sends it to a victim. The attack flow is:

  1. Victim clicks the link, visiting the Craft CMS site.
  2. The application calls setReturnUrl() with the attacker-controlled value.
  3. strip_tags() processes the URL but finds no HTML tags -- it passes through unchanged.
  4. The URL is stored in the session and later rendered in an href attribute (e.g., a "Return" or "Continue" link).
  5. When the victim clicks that link, javascript:alert(document.cookie) executes in the context of the Craft CMS origin.

This enables:

  • Session hijacking via cookie theft (document.cookie)
  • Data exfiltration via fetch() to an attacker-controlled server
  • Phishing by redirecting to a lookalike domain (protocol-relative URL)
  • CSRF by performing actions on behalf of the authenticated user

References

Severity

Low

CVE ID

CVE-2026-31859

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. Learn more on MITRE.