Contrib.social

XSS Vulnerability in Custom Block Creation

Open on Drupal.org →
Created on 9 September 2025, about 2 months ago

User reported a security issue publically on D.O: https://www.drupal.org/project/block_class/issues/3545094 🐛 Autocomplete executes scripts entered in fields on edit page Active
I didn't teste yet
However, since is security issue I suggested to open via security process:
I requested to unpublish the node due to security reasons:

Warning message

Security issues should not be reported here. Follow the procedure for reporting security issues .

https://www.drupal.org/project/site_moderators/issues/3545124 📌 Request to Delete or Unpublish Node ID 3545094 for Security Reasons Active

The requester didn't reported here so I'm here to create the same issue

Note: I'm copying and pasting the same issue with the same text. I didn't test yet.
I'll test that and update the text as needed

I'm just reporting to keep that tracked

Problem/Motivation

I was testing another issue patch and found this issue that can lead a website in a critical situation where only option would be to uninstall this module from the site, or will require deleting the script from the database manually
This is related to the XSS injection, if someone enter a script in the class or custom attribute field and place the block.
The script get executed each time the autocomplete ajax is triggered when editing existing block or placing a new block in block layout this can lead to possible xss injection attack.

Steps to reproduce

Create a custom block
place the block from the block layout settings page
while placing the block enter a script for alert or console.log as a custom class or attribute value
save and place the block
Now edit the same block or any block from the block layout and edit/change the same field class/attribute
this will trigger the autocomplete and the script entered previously will get executed each time autocomplete ajax is triggered
we don't have any option to delete the script, cannot stop autocomplete ajax, the only solution is to uninstall the module itself and doing so will delete all customization done before

Proposed resolution

Add validation before saving user entered values in database and do not allow saving any value containing any script in the database

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Version

4.0

Component

Code

Created by

renatog

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024