CVE-2023-23019 is assigned
15 XSS vulnerabilities.
For example,
the username and email will be saved in the DB in file ci4_blog\app\Controllers\Main.php
name, email, and type are extracted from $this->request->getMethod()
public function user_add(){
if($this->request->getMethod() == 'post'){
extract($this->request->getPost());
$udata= [];
$udata['name'] = $name;
$udata['email'] = $email;
$udata['type'] = $type;
//...
$save = $this->auth_model->save($udata);
//...
}
}
Then the users are loaded from the DB and print the values in the list view.
In file ci4_blog\app\Controllers\Main.php
public function users(){
//...
$this->data['users'] = $this->auth_model->where("id != '{$this->session->login_id}'")->paginate($this->data['perPage']);
//...
return view('pages/users/list', $this->data);
}
Then in file ci4_blog\app\Views\pages\users\list.php
<?php foreach($users as $row): ?>
<tr>
<td class="px-2 py-1 align-middle"><?= $row['name'] ?></td>
<td class="px-2 py-1 align-middle"><?= $row['email'] ?></td>
<?php endforeach; ?>