- Issue created by @prudloff
When passing a string to the sortbyweight
Twig filter, it returns it unchanged but because the filter has 'is_safe' => ['html']
, it will mark the string as safe and disable Twig auto escaping.
This could lead to a XSS vulnerability if the filter is used on a string provided by users.
This is mitigated by the fact the module only uses this filter on render arrays, but a custom template could be vulnerable.
{# Dangerous user-provided value #}
{% set payload = '<script>alert(`XSS`);</script>' %}
{# Here it is correctly escaped #}
{{ payload }}
{# Here it is not #}
{{ payload|sortbyweight }}
Since the filter usually returns an array, I don't think it needs to use is_safe
Active
1.0
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.