Drupal entity passing through query string triggers false positive in certain WAF blocking functionality

Created on 21 March 2017, almost 8 years ago
Updated 5 February 2024, 11 months ago

drupal-entity tag is passed in the url query string which has both < and > characters which are sometimes identified as xss vulnerable.

Request should pass the value as POST parameter.

Whoever validates this request using certain XSS prevention techniques in a web application firewall will face the issue that previews will not work.

πŸ› Bug report
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States dsim Irving, Texas

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    It seems this is not Cross Site Scripting, also known as XSS. I don't see evidence of a payload that triggers javascript. The bug seems more that the valid requests of the Embed module are sometimes identified as XSS by a Web Application Firewall which causes the features of the module to fail to work.

    I updated the title and issue summary to try to focus on that understanding of the problem.

Production build 0.71.5 2024