$pagination->nextPageUrl() vulnerable to xss attacks?


One of my clients just informed me of a possible vulnerability when using the nextPageUrl method.
Seems special characters don’t get converted.

Consider the following end url:

When the nextPageUrl is rendered it adds an onmouseover attribute.

If this is my fault then I’m sorry to waste your time and would appreciate some advice on how I can make my client happy again.


This is not an issue with nextPageUrl() directly, all kind of URLs have this issue.
However please note that the return value of any method is always the “real” value. Depending on where you print the URL (inside HTML attributes, outside of HTML attributes, as part of another URL etc.) you need to escape differently. Kirby can’t automagically do this for you.

If you can’t trust the page URLs of your site, escape the URLs:

<a href="<?php echo html($pagination->nextPageUrl()) ?>">Next page</a>

Also a very important note: Please never report potential security issues in forums. Always reach out to the developers privately. This is called “responsible disclosure” in case you want to learn more about it.

1 Like