Contrib.social

XSS in footnote text

Open on Drupal.org →
Created on 24 June 2025, about 7 hours ago

Problem/Motivation

The module creates a Footnote text format and uses it to restrict which tags are allowed in footnote text.
But it seems this text format is not really enforced when rendering the footnote text.
This could allow injecting arbitrary JS in the page.

Steps to reproduce

1. Create a text format with the footnotes filter.
2. In a CKE field using this format, use source editing to insert this HTML:

<p>
    <footnotes data-text="&lt;img src=x onload=&quot;alert()&quot; onerror=&quot;alert()&quot;&gt;" data-value="foo">&nbsp;</footnotes>
</p>

3. When the node is displayed, the JS is executed.

This can be mitigated by having the "Limit allowed HTML tags and correct faulty HTML" filter run after "Footnotes filter" in the node text format.

Proposed resolution

The module should filter the footnote text with the filters from the Footnote format when displaying the text, not just when saving the modal.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Version

4.0

Component

Footnotes

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024