When allowing iframes, htmLawed does not remove srcdoc attributes from iframe tags.
This attribute can be used to inject JS into the page.
(This was originally logged as a private issue to the security team, but was cleared to be moved to the public queue.)
1. Enable the module
2. Create a new text format using the htmLawed filter with this config:
'safe' => 1, 'elements' => 'a, em, strong, cite, code, ol, ul, li, dl, dt, dd, br, p, iframe'
3. Create a node with a text field using the new text format and add this in the text field:
<iframe srcdoc="<script>alert(document.cookie)</script>"></iframe>
htmLawed does not allow iframes by default, so we could consider that if someone allows the iframe tag it is their responsibility to add srcdoc to the list of forbidden attributes.
But it is an easy mistake to make, so I think it would be a good security hardening to remove srcdoc by default.
Another solution would be to make it clear in the field description or in the documentation that when allowig new tags admin should make sure to restrict dangerous attributes on those tags.
Active
4.1
Code
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.