[D7] Module and theme names are not filtered on output.

Created on 8 October 2024, 21 days ago

Problem/Motivation

This is a D7 backport of 🐛 Module and theme names are not filtered on output. Fixed

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

🐛 Bug report
Status

Active

Version

7.0 ⚰️

Component

base system

Created by

🇪🇪Estonia ram4nd Tallinn

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @ram4nd
  • Pipeline finished with Canceled
    21 days ago
    Total: 339s
    #304242
  • Pipeline finished with Failed
    21 days ago
    Total: 470s
    #304250
  • 🇪🇪Estonia ram4nd Tallinn
  • 🇸🇰Slovakia poker10

    Thank you for working on this!

    I see there are some differences with the original D10 code:

    1. The issue title is modules and themes are not filtered on output - I think the D7 backport is sanitizing the data a way sooner, than on output. I did not have time to review it if that have a potential to cause any troubles yet, but another option would be to move the sanitization to output - for example to system_modules and system_themes_page (or theme_system_themes_page)

    2. Currently the code is adding check_plain on 'name', 'version' and 'package' attributes. According to the documentation, it seems correct, that these three should be in plaintext ( https://www.drupal.org/docs/7/creating-custom-modules/writing-module-inf... ). In D10 code, there does not seems to be a direct sanitization, but I suppose the automatic twig sanitization is used (anything between {{ }} gets automatically sanitized ( https://www.drupal.org/docs/administering-a-drupal-site/security-in-drup... )).

    3. package in D10 is sanitized using D10's version of filter_xss_admin, see: '#title' => Markup::create(Xss::filterAdmin($this->t($package))),. In D7 is sanitized using check_plain. We should check, what is a correct approach (the output of the package name seems very similar to me - in D10 it is a title in "details" form element, in D7 it is a title in "fieldset" form element).

    4. D7 backport is missing tests. Can we add at least a simple test to check the output of name and description for script tags (like it is done in the D10 test)?

    Thanks!

  • 🇪🇪Estonia ram4nd Tallinn

    If I remember correctly, I backported it from D11 not D10.

Production build 0.71.5 2024