Contrib.social

Notification message is not sanitized.

Open on Drupal.org →
Created on 14 March 2025, about 1 month ago

Problem/Motivation

The notification message displayed when autosaving is output verbatim, leading to an XSS vulnerability. Since configuration for Autosave Form requires the "administer site configuration"-permission, this can be fixed publicly as per Security advisory process and permissions policy

Steps to reproduce

Visit the configuration page for Autosave Form, and set "<script>alert('xss');</script>" as notification message. Edit content for which autosaving is enabled, the script will be executed immediately upon page load.

Proposed resolution

Run the message through Xss::filter() or Xss::filterAdmin().

🐛 Bug report
Status

Active

Version

1.0

Component

Code

Created by

🇧🇪Belgium mr.baileys 🇧🇪 (Ghent)

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @mr.baileys
  • Merge request !28Sanitize notification message. → (Open) created by mr.baileys
  • Comment about 1 month ago
    🇧🇪Belgium mr.baileys 🇧🇪 (Ghent)
  • Pipeline finished with Success
    about 1 month ago
    Total: 339s
    #448366
  • Comment about 1 month ago
    🇮🇳India sdhruvi5142

    The proposed solution correctly addresses the XSS vulnerability by sanitizing the notification message with Xss::filterAdmin(). Since this configuration requires admin privileges, using filterAdmin() is appropriate as it maintains necessary HTML formatting while stripping dangerous scripts. I've verified the fix by testing with various payloads (including

    tags and HTML attributes) and confirmed it prevents execution while preserving legitimate markup. The implementation follows Drupal's security best practices by sanitizing at output time without breaking existing functionality. Moving this to RTBC but creating a new issues for fixing the phpcs issues and wraning showing up in the pipeline. #3515975 🐛 PHPCS Issues Active
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024