XSS vulnerability in texts

Open on Drupal.org →

Created on 3 July 2023, over 1 year ago

Updated 29 August 2023, about 1 year ago

Problem/Motivation

This module has a XSS vulnerability in translatable texts.

Steps to reproduce

Enable the module.
As a user with "translate tarte au citron" permission, browse to /admin/config/tarte_au_citron/edit-texts
In the "This website does not use any cookie requiring your consent." field, add <img src="x" onerror="alert('foo')">
This string is then injected by tarteaucitron.js in an element's innerHTML so when the cookie banner is displayed, the JS in "onerror" is executed.

Proposed resolution

I see two potential solutions:

Use Xss::filterAdmin() on the strings to sanitize them.
Add restrict access to the permission to indicate that it should only be given to trusted users.

🐛 Bug report

Status

Fixed

Version

1.0

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Issue created by @prudloff
First commit to issue fork.
@klelostec opened merge request.
Status changed to Fixed over 1 year ago8:56am 4 July 2023
Comment over 1 year ago →
🇫🇷France klelostec
Thanks a lot @prudloff.

I fixed this using the Xss::filterAdmin() solution which seems better to me.
This one prevents a malicious user from being able to exploit the XSS vulnerability if he is able to login with a user assigned to roles which are granted to the permission.
Comment over 1 year ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.
Status changed to Fixed about 1 year ago5:34pm 28 August 2023
Comment about 1 year ago →
🇫🇷France klelostec
Comment about 1 year ago →
🇫🇷France klelostec
Status changed to Fixed about 1 year ago8:34am 29 August 2023
Comment about 1 year ago →
🇫🇷France klelostec
Comment about 1 year ago →
🇫🇷France klelostec
Comment about 1 year ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024