Contrib.social

XSS vulnerability in alt attribute

Open on Drupal.org →
Created on 11 April 2025, 2 days ago

Problem/Motivation

The module has a potential XSS vulnerability because it does not sanitize the value of alt attributes before using it as caption.

Steps to reproduce

Enable the ImageLightBox formatter on an image field.
Upload an image in this field and set this value as alternative text:

<img src=x onerror="alert()">

When clicking on the image, the malicious JS is executed.

Proposed resolution

captionReset() could use $captionObject.text() instead of $captionObject.html() to ensure the caption is sanitized.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Version

2.2

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024