Drupal entity passing through query string triggers false positive in certain WAF blocking functionality

Created on 21 March 2017, over 7 years ago

Updated 5 February 2024, 10 months ago

drupal-entity tag is passed in the url query string which has both < and > characters which are sometimes identified as xss vulnerable.

Request should pass the value as POST parameter.

Whoever validates this request using certain XSS prevention techniques in a web application firewall will face the issue that previews will not work.

🐛 Bug report

Status

Active

Version

1.0

Component

Code

Created by

🇺🇸United States dsim Irving, Texas

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 10 months ago →
🇺🇸United States greggles Denver, Colorado, USA
It seems this is not Cross Site Scripting, also known as XSS. I don't see evidence of a payload that triggers javascript. The bug seems more that the valid requests of the Embed module are sometimes identified as XSS by a Web Application Firewall which causes the features of the module to fail to work.

I updated the title and issue summary to try to focus on that understanding of the problem.

Production build 0.71.5 2024