XSS issue in the codebase

Created on 20 July 2017, over 7 years ago
Updated 30 January 2023, almost 2 years ago

Hi module's maintainers,

in the module there is a part where the output is not sanitized, allows cross site scripting to be executed.
As the module seems actively used by over 50k sites but has no coverage by Drupal Security Team, i open this issue here as a public one in order to let users of it know about the issue and act on their own safe before the new version of it gets released.

Here are the steps how it can be reproduced:
- Enable the module.
- Create a new format filter and set its name to this:

alert('XSS')

- Then add a long text (or use an already existing one) to a content type. When this page is loaded: admin/structure/types/manage/article/fields/body (where article is the bundle, body is the used field) you get the result of XSS exploit.

I'm attaching the patch that fixes this issue.

As for the exploit the following permissions are needed administer fields, administer filters if your site doesn't allow these to untrusted users the vulnerability's risk is much lower.

Thank you in advance,
Balazs.

🐛 Bug report
Status

Fixed

Component

Code

Created by

🇭🇺Hungary tatarbj Brussels

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024