XSS vulnerability

Created on 9 September 2025, 28 days ago
Updated 10 September 2025, 28 days ago

Problem/Motivation

This module uses the value of the data-settings attribute without sanitizing dangerous options.

Steps to reproduce

  1. Create a bundle with an image field that uses the Tiny Slider Carousel formatter.
  2. As an attacker who can insert HTML in the page, insert this HTML:
  3.   <div class="tiny-slider-wrapper" data-settings='{ "controlsText": ["&lt;img src=x onerror=alert()&gt;"] }'><span>XSS</span></div>
      
  4. When the page is displayed, the JS is executed.

This is mitigated by the fact the default CKE config does not allow data attributes.
However Xss::filter() allows data attributes and this method is used by various contrib modules to sanitize user inputs.

For example this can be reproduced with the html_title module:
1. Enable the module
2. Create a node with this title:

<sub class="tiny-slider-wrapper" data-settings='{ "controlsText": ["&lt;img src=x onerror=alert()&gt;"] }'><sub>XSS</sub></sub>

Proposed resolution

I wonder if calling Drupal.checkPlain() on every setting would work of if it could break some legitimate settings.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Version

1.1

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024