XSS vulnerability in texts

Created on 3 July 2023, over 1 year ago
Updated 29 August 2023, about 1 year ago

Problem/Motivation

This module has a XSS vulnerability in translatable texts.

Steps to reproduce

  1. Enable the module.
  2. As a user with "translate tarte au citron" permission, browse to /admin/config/tarte_au_citron/edit-texts
  3. In the "This website does not use any cookie requiring your consent." field, add <img src="x" onerror="alert('foo')">
  4. This string is then injected by tarteaucitron.js in an element's innerHTML so when the cookie banner is displayed, the JS in "onerror" is executed.

Proposed resolution

I see two potential solutions:

  • Use Xss::filterAdmin() on the strings to sanitize them.
  • Add restrict access to the permission to indicate that it should only be given to trusted users.
🐛 Bug report
Status

Fixed

Version

1.0

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024