Autocomplete executes scripts entered in fields on edit page

Created on 5 September 2025, 26 days ago

Problem/Motivation

I was testing another issue patch and found this issue that can lead a website in a critical situation where only option would be to uninstall this module from the site, or will require deleting the script from the database manually

This is related to the XSS injection, if someone enter a script in the class or custom attribute field and place the block.
The script get executed each time the autocomplete ajax is triggered when editing existing block or placing a new block in block layout this can lead to possible xss injection attack.

Steps to reproduce

  • Create a custom block
  • place the block from the block layout settings page
  • while placing the block enter a script for alert or console.log as a custom class or attribute value
  • save and place the block
  • Now edit the same block or any block from the block layout and edit/change the same field class/attribute
    this will trigger the autocomplete and the script entered previously will get executed each time autocomplete ajax is triggered
  • we don't have any option to delete the script, cannot stop autocomplete ajax, the only solution is to uninstall the module itself and doing so will delete all customization done before

Proposed resolution

Add validation before saving user entered values in database and do not allow saving any value containing any script in the database

🐛 Bug report
Status

Active

Version

4.0

Component

Code

Created by

🇮🇳India rakesh.regar Rajasthan, India

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024