- Merge request !745[#3547533] feat: Potential XSS vulnerability in webform_submission_log → (Open) created by jrockowitz
This was originally reported as a private security issue, but has been approved for handling the public queue by the Drupal Security Team.
The webform_submission_log submodule has a potential XSS vulnerability because it does not sanitize log messages before displaying them.
This could be a problem if some custom code logs a message containing unescaped user input.
1. Enabling the webform_submission_log module
2. Call something like this:
\Drupal::logger('webform_submission')->error('<img src=x onerror=alert()>', $context);
3. Browse to /admin/structure/webform/submissions/log: the JS is executed.
(dblog does not have this problem, it always filters log messages against XSS.)
We could filter log messages with Xss::filterAdmin() before displaying them (dblog does this).
Active
6.3
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.