XSS vulnerability in drupal_youtube service

Created on 12 July 2023, over 1 year ago
Updated 29 August 2023, about 1 year ago

Problem/Motivation

The drupal_youtube service does not sanitize attribute values and is vulnerable to an XSS vulnerability.

Steps to reproduce

  1. Enable the drupal_youtube service.
  2. Create a text format that allows div tags with class and data-width attributes (but not the data-onload attribute).
  3. Create a node using this text format and insert this HTML in the field:
      <div class="youtube_player" data-width="&quot; onload=&quot;alert(`xss`);&quot;">Foo</div>
      
  4. The width attribute is not sanitized when building the iframe so the onload attribute is injected (thus bypassing the attribute restrictions from the text format).

Proposed resolution

I think Drupal.checkPlain() can be used to sanitize the attribute.
But the best practice is probably to build the iframe with DOM functions like createElement() and setAttribute().

🐛 Bug report
Status

Fixed

Version

1.0

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024