Harden Drupal against DOM clobbering attacks

Created on 10 May 2025, 27 days ago

Problem/Motivation

DOM clobbering is a technique that allows populating global JS variables from HTML markup.
It is not dangerous by itself but in some very specific scenarios it can be used to trigger XSS attacks.

I think the default CKE config does not allow any DOM clobbering payload.
However Xss::filter() does allow some potential payloads (and this method is used by various modules to sanitize user inputs).

Steps to reproduce

Consider the following code pattern:

  // Use value defined by websites or fallback to default value.
  const url = window.urlSetting || 'https://example.com/';
  console.log(String(url));

If an attacker is able to insert this HTML:

<a id="urlSetting" href="https://malicious-domain.com/"></a>

Then window.urlSetting will have the https://malicious-domain.com/ value.

This can also be used for nested variables:

  const url = window.settings.url || 'https://example.com/';
  console.log(String(url));
<a id="settings"></a><a id="settings" name="url" href="https://malicious-domain.com/"></a>

(I think this only works in some browsers.)

This technically works with other tags, but only <a> allows casting to an arbitrary string.
Other tags will cast to something like "[object HTMLElement]".

More complex attacks are possible with img, iframe or form tags but Xss::filter() does not allow these tags by default.
See https://domclob.xyz/domc_payload_generator/ for examples.

Proposed resolution

Removing every id and name attributes in user-supplied HTML is probably overkill. For example id attributes are often used on h2, h3, etc.

Maybe Xss::filter() could remove these attributes on <a> tags by default.
This could be a breaking change if modules depend on users being able to set these attributes.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

✨ Feature request
Status

Active

Version

11.0 πŸ”₯

Component

other

Created by

πŸ‡«πŸ‡·France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

Production build 0.71.5 2024