Discuss Hardening Vertical Tabs Against Potential XSS

Created on 26 November 2024, 4 months ago

This issue was discussed by the Drupal Security Team, and their decision was that this can be solved in a public issue.

Problem/Motivation

While the current behavior of vertical tabs is "working as designed," there is room for hardening this feature to mitigate potential vulnerabilities in contributed modules or custom implementations. Specifically, scenarios where user-supplied text is injected unescaped into vertical tabs could lead to cross-site scripting (XSS) attacks. Although identifying these cases is non-trivial, we can proactively strengthen the feature to reduce such risks.

Steps to reproduce

  • Labels are correctly output using check_plain().
  • jQuery.text() fetches text content from DOM elements, which normalizes entities (e.g., & becomes &).
  • jQuery.html() inserts the normalized content back into the vertical tab summary.

This workflow works as designed but could be exploited if contributed modules bypass sanitization.

Remaining tasks

  • Integrating DomPurify: A robust library for sanitizing HTML to mitigate potential XSS.
  • Reviewing and identifying places where contributed modules or custom code might incorrectly handle vertical tabs' content.
  • Providing guidelines or documentation for module developers on properly sanitizing user-supplied content in dynamic UI elements.
πŸ“Œ Task
Status

Active

Version

11.1 πŸ”₯

Component

javascript

Created by

πŸ‡ͺπŸ‡ͺEstonia ram4nd Tallinn

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024