- Issue created by @prudloff
- π«π·France prudloff Lille
I also included img tags because Xss::filterAdmin() allows them and they can be used for this kind of attack:
<img name="currentScript" src="https://example.com/">
In any JS loaded later,
document.currentScript
now points to this img tag instead of the expected script tag. - πΊπΈUnited States smustgrave
Seeing as a very popular module like https://www.drupal.org/project/editor_advanced_link β allows for setting ID id be a -1 for this change.
Definitely donβt think can remove cold turkey.
- πΊπΈUnited States smustgrave
Actually believe such a feature belongs in the security kit module
- π«π·France prudloff Lille
Then maybe we could at least remove the name attribute? I'm not sure there is a legitimate use case for it nowadays, it is deprecated on links and img.
- πΊπΈUnited States smustgrave
Yea probably would argue for keeping name but does seem like something that maybe should be configurable? Why security kit seemed like a good spot for it. But ID definitely could be in use.
- π«π·France prudloff Lille
I updated the MR to stop removing id attributes.
does seem like something that maybe should be configurable?
π Allow Xss::filter() to restrict allowed attributes Active could be a solution to be able to explicitly allow name attributes.
- πΊπΈUnited States smustgrave
Then I think this should be postponed in that issue. Think the order should be to allow people name attributes then remove them vs the opposite if this landed first