Security issue because of unescaped field labels

This was released as backdrop security fix in https://backdropcms.org/security/backdrop-sa-core-2024-001

Raising priority to critical as this is a small XSS vulnerability, but fortunately can only be exploited by trusted admins as Damien said.

Setting to "needs work" as I think we should do the same fix as Backdrop.

Ported patch from backdrop.

Thanks for the patch Klausi!

Thank you all for working on the fix and reviewing it.

If confirmed that is a security issue we should follow this instruction, right?!

It is a security issue, but it falls outside of the security advisory policy of the Drupal Security team. The vulnerability can only be exploited if the attacker has an elevated permission "administer fields". Therefore we can fix this in public (not sure why Backdrop issued an advisory).

Clarified that in the issue summary

Thanks Klausi.

Put another way - this is a minor security hardening issue for some rare scenarios, rather than a something a non-admin would be able to exploit.

Oh hm, @jenlampton replied in Slack that the Backdrop fix is not necessary for Drupal 7 because Views UI has an extra XSS filter that Backdrop does not have anymore. She is right, I tried to exploit this but could not get XSS to trigger when adding a field in the Views UI.

Is there any other place where these field labels are displayed?

Very sorry for the noise here, I should have tested my assumptions fully before escalating here. Downgrading the priority again and setting this back to active.

For the Views module in Drupal 7 I think we should not remove the extra XSS filter in Views UI, even if there could be some double escaping then. Keeping the potential double escaping is the secure choice at this point in the late D7 cycle.

Let me know if you see the XSS trigger and where exactly!