Contrib.social

XSS::filter and filter_xss can create malformed attributes when you would expect them to be stripped

Open on Drupal.org β†’
Created on 17 August 2015, over 9 years ago
Updated 8 March 2023, almost 2 years ago

This was originally reported by alexpott to the Drupal Security Team, but is being made public since there is no actual vulnerability and it can be treated as a public bug.

There is no vulnerability since "on" attribute names are renamed which renders them harmless.

Problem/Motivation

Drupal\Component\Utility\Xss::filter has the following behaviour:

HEAD

BEFORE: <IMG SRC= onmouseover="alert('xxs')"
AFTER: <IMG nmouseover="alert(&#039;xxs&#039;)">

With patch

BEFORE: <IMG SRC= onmouseover="alert('xxs')"
AFTER: <IMG>

You can see the bug by running the test code below using "drush scr xss.php.txt"

<?php

$strings = [
  '<IMG SRC= onmouseover="alert(\'xxs\')"',
  '<IMG onmouseover="alert(\'xxs\')"',
  '<img src="http://example.com/foo.jpg" title="Example: title" alt="Example: alt">',
];

foreach ($strings as $original) {
  $string = filter_xss($original, array('img'));
  print "BEFORE: $original\nAFTER: $string\n\n";
}

Proposed resolution

Fix the logic so malformed attributes are stripped

Remaining tasks

review patch, backport.

User interface changes

n/a

API changes

n/a

Data model changes

n/a

πŸ› Bug report
Status

Fixed

Version

9.5

Component
BaseΒ  β†’

Last updated about 6 hours ago

Created by

πŸ‡ΊπŸ‡ΈUnited States pwolanin

Live updates comments and jobs are added and updated live.
  • Triaged core major

    There is consensus among core maintainers that this is a major issue. Only core committers should add this tag.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024