- Merge request !25Issue #3545793-xss-vulnerability: Solved Xss vulnerability issue for the module. → (Open) created by sourabhsisodia_
This module uses the value of the data-settings attribute without sanitizing dangerous options.
<div class="tiny-slider-wrapper" data-settings='{ "controlsText": ["<img src=x onerror=alert()>"] }'><span>XSS</span></div>
This is mitigated by the fact the default CKE config does not allow data attributes.
However Xss::filter() allows data attributes and this method is used by various contrib modules to sanitize user inputs.
For example this can be reproduced with the html_title module:
1. Enable the module
2. Create a node with this title:
<sub class="tiny-slider-wrapper" data-settings='{ "controlsText": ["<img src=x onerror=alert()>"] }'><sub>XSS</sub></sub>
I wonder if calling Drupal.checkPlain() on every setting would work of if it could break some legitimate settings.
Active
1.1
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.