Laminas · Laminas-Form · CVE-2022-23598
**Name of the Vulnerable Software and Affected Versions**
laminas-form versions prior to 2.17.1
laminas-form versions prior to 3.0.2
laminas-form versions prior to 3.1.1
**Description**
The laminas-form package is used for validating and displaying simple and complex forms. When rendering validation error messages via the `formElementErrors()` view helper, many messages will contain the submitted value. However, in vulnerable versions of laminas-form, the value was not being escaped for HTML contexts, which could potentially lead to a reflected cross-site scripting attack.
**Recommendations**
For laminas-form versions prior to 2.17.1, update to version 2.17.1 or above to mitigate the vulnerability.
For laminas-form versions prior to 3.0.2, update to version 3.0.2 or above to mitigate the vulnerability.
For laminas-form versions prior to 3.1.1, update to version 3.1.1 or above to mitigate the vulnerability.
As a temporary workaround, manually place code at the top of a view script where the `formElementErrors()` view helper is called to escape the submitted values for HTML contexts.
Use the following code:
```php
use LaminasFormElementInterface;
use LaminasViewPhpRenderer;
$escapeMessages = function (ElementInterface $formOrElement, PhpRenderer $renderer): void {
$messages = $formOrElement->getMessages();
if (! $messages) {
return;
}
$escaped = [];
array walk recursive(
$messages,
static function (string $item) use (&$escaped, $renderer): void {
$escaped[] = $renderer->escapeHtml($item);
}
);
$formOrElement->setMessages($escaped);
};
```
Before calling `formElementErrors()` with a form, fieldset, or element, call the above closure as follows:
```php
// Usage with a form
// $this is the view renderer
$escapeMessages($form, $this);
// Usage with a fieldset
// $this is the view renderer
$escapeMessages($fieldset, $this);
// Usage with a form element
// $this is the view renderer
$escapeMessages($element, $this);
```