- Issue created by @mcdruid
Reporting this in the public issue queue as:
At present adobe_analytics\VariableFormatter::renderVariables sanitises the keys of variables, but not their values.
The token module may do some sanitisation, but values with no tokens pass through unfiltered.
The twig template then uses |raw to output the rendered variables.
This means it's possible to put an XSS payload into the value of a variable, and it will be sent to the browser without sanitisation.
In the case of putting XSS into the module's config, the 'Configure Adobe Analytics settings' permission is marked as restricted so should only be given to trusted users. Therefore this would not be treated as a security vulnerability even if the project had Security Coverage (which it currently does not).
However, there's also the hook_adobe_analytics_variables hook provided by the module whereby other code can add extra variables.
It's not hard to imagine another module putting something into the value of a variable that would be unsafe to render without any sanitisation, but that's what would currently happen.
Side note: the example hook implementation in the readme file is quite broken, but it illustrates setting a variable based on a http header. The example itself is not dangerous as only an item from a hard-coded list is used as the variable value, but it's not a big jump to go from that to setting a variable based on unsafe input.
Example payload:
extra_variables:
-
name: foo
value: '";alert(1);//'
Variables values should be sanitised as well as the keys.
tbc
tbc
tbc
tbc
Active
1.0
Code
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.