FAPI checkboxes and radios need strengthening for XSS

Created on 10 October 2008, about 16 years ago
Updated 15 September 2024, about 1 month ago

FAPI checkboxes aren't automatically escaped like some other form elements. This can lead to XSS vulnerabilities in contrib modules which don't handle the escaping themselves. Following discussion in the security team we've decided that any contrib modules in 6 should be dealt with individually, and an approach along the lines of #242873: make drupal_set_title() use check_plain() by default. β†’ in 7.x and 8.x would to make sense.

πŸ“Œ Task
Status

Closed: outdated

Version

11.0 πŸ”₯

Component
FormΒ  β†’

Last updated about 16 hours ago

Created by

πŸ‡¬πŸ‡§United Kingdom catch

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Needs issue summary update

    Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡³πŸ‡ΏNew Zealand quietone

    The last comment states that "#options for radios and checkboxes is definitely XSS admin filtered and select #options are escaped in D8. And like the previous comment thinks this is a duplicate, although neither is sure which issue it is a duplicate of. After that there has been no activity here for 9 years. It is time to close this.

    Since it is no clear what issue is the duplicate, I am closing as outdated.

Production build 0.71.5 2024