XSS vulnerability in readmoreLink setting

Created on 5 July 2023, 12 months ago

Updated 29 August 2023, 10 months ago

The readmoreLink setting is vulnerable to a XSS vulnerability.

Use this config:

moreInfoLink: true
readmoreLink: '"><img src="x" onerror="alert(''foo'')">'

tarteaucitron.js does not sanitize the value before using it in the href attribute.

Html::escape() could be used to sanitize the string.

🐛 Bug report

Status

Fixed

Version

1.0

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Comments & Activities

Issue created by @prudloff
Comment 12 months ago →
🇫🇷France prudloff Lille
Html::escape() might not be enough, UrlHelper::filterBadProtocol() is probably the correct solution here.
First commit to issue fork.
@klelostec opened merge request.
Status changed to Fixed 10 months ago5:36pm 28 August 2023
Comment 10 months ago →
🇫🇷France klelostec
Comment 10 months ago →
🇫🇷France klelostec
Comment 10 months ago →
🇫🇷France klelostec
Comment 10 months ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

Production build 0.69.0 2024