This was originally reported to the security team who decided it could be public
The XML file for release updates contains release link URLs
These are displayed in the available updates report without sanitation.
If the XML endpoint was compromised this could trigger an XSS attack
Validate the URLs before output.
Affected file:
/automatic_updates/src/Form/UpdaterForm.php
Affected code:
'#context' => [
'release_version' => $release->getVersion(),
'release_link' => $release->getReleaseUrl(),
'project_title' => $this->t('Release notes for @project_title @version',[
'@project_title' => 'Drupal core',
'@version' => $release->getVersion(),
]),
'release_notes' => $this->t('Release notes'),
],
So the fix is likely to apply \Drupal\Component\Utility\UrlHelper::stripDangerousProtocols() to the link
Needs work
11.0 π₯
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
There you go. I installed two contrib modules and confirmed that this change works.
smustgrave β credited greggles β .