Remove srcdoc attributes in Xss::filter()

Open on Drupal.org →

Created on 7 March 2025, about 2 months ago

Problem/Motivation

The Xss::filter() method does not remove srcdoc attributes from iframe tags.
This attribute can be used to inject JS into the page.
The XSS filter removes other dangerous attributes like onclick or onload, so I think it should also remove srcdoc.

Xss::filter() does not allow iframe tags by default, so it needs to be called explicitly with iframe in the $allowed_html_tags parameter to be vulnerable.
You could argue that this is a misuse of the XSS filter, but I think it is an easy mistake to make and it could benefit from this hardening.

This was originally logged as a private issue to the security team, but was cleared to be moved to the public queue.

Steps to reproduce

If someone calls this:

\Drupal\Component\Utility\Xss::filter('<iframe srcdoc="&lt;script&gt;alert(document.cookie)&lt;/script&gt;"></iframe>', ['iframe'])

They could expect a safe iframe tag to be returned but instead the returned HTML could containe malicious JS.

Proposed resolution

Remove srcdoc attributes in Xss::attributes().

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Active

Version

11.0 🔥

Component

other

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

!11436Remove srcdoc attributes in Xss::filter()
Closed
🇫🇷France prudloff
updated 2 days ago

Comments & Activities

Issue created by @prudloff
Merge request !11436Remove srcdoc attribute → (Closed) created by prudloff
Pipeline finished with Success
about 2 months ago
Total: 1391s
#445090
Comment about 2 months ago →
🇫🇷France prudloff Lille
Comment about 1 month ago →
🇺🇸United States smustgrave
Reading up on srcdoc on https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameElement/srcdoc and the example

iframe.srcdoc = `<!doctype html><p>Hello World!</p>`; document.body.appendChild(iframe);
Shows HTML being used so would agree it probably should be stripped. Not sure if this needs a CR? Will let committer decide

Comment 2 days ago →

catch → committed 17be2e1b on 10.5.x

Issue #3511566 by prudloff, smustgrave: Remove srcdoc attributes in Xss...

Comment 2 days ago →

catch → committed 540351dc on 11.1.x

Issue #3511566 by prudloff, smustgrave: Remove srcdoc attributes in Xss...

Comment 2 days ago →
🇬🇧United Kingdom catch
Don't think this needs a CR, just a bug fix for me.

Committed/pushed to 11.x, 11.1.x and 10.5.x, thanks!

Comment 2 days ago →

catch → committed 26caa6b1 on 11.x

Issue #3511566 by prudloff, smustgrave: Remove srcdoc attributes in Xss...

Comment 2 days ago →
System Message
catch → closed merge request !11436
Comment 2 days ago →
🇬🇧United Kingdom catch

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024