Module and theme names are not filtered on output.

Created on 19 November 2009, over 14 years ago
Updated 13 June 2024, 3 days ago

Problem/Motivation

Especially with the growth of Features, and the ability to use update module to add/update themes and modules, it seems like a not entirely safe assumtion that what's in the .info file is safe text.

Also, there are modules that let you write themes, for example, via a starting from an existing theme as a template. In that case, a user with a lesser admin permission might be able to inject XSS.

We should sanitize all the elements of te .info file that may be displayed (or maybe jsut all) as a simple hardening.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report
Status

Needs review

Version

11.0 🔥

Component
Extension 

Last updated 3 days ago

No maintainer
Created by

🇺🇸United States pwolanin

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • The Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

  • 🇮🇳India Nikhil_110

    Attached patch against Drupal 10.1.x

    Patch #46 is not applied for Drupal 10 so Inter-diff file is not added.

    Checking patch core/modules/system/src/Form/ModulesListForm.php...
    Hunk #1 succeeded at 21 (offset 1 line).
    Hunk #2 succeeded at 143 (offset 3 lines).
    Hunk #3 succeeded at 208 (offset 8 lines).
    error: while searching for:
    $row['#requires'] = [];
    $row['#required_by'] = [];

    $row['name']['#markup'] = $module->info['name'];
    $row['description']['#markup'] = $this->t($module->info['description']);
    $row['version']['#markup'] = $module->info['version'];

    // Generate link for module's help page. Assume that if a hook_help()
    // implementation exists then the module provides an overview page, rather

    error: patch failed: core/modules/system/src/Form/ModulesListForm.php:247
    error: core/modules/system/src/Form/ModulesListForm.php: patch does not apply
    Checking patch core/modules/system/system.admin.inc...

  • Open in Jenkins → Open on Drupal.org →
    Environment: PHP 8.2 & sqlite-3.34
    last update 8 months ago
    29,506 pass, 62 fail
  • First commit to issue fork.
  • Status changed to Needs review 2 months ago
  • 🇮🇳India Bhanu951

    Came from http://www.madirish.net/555

    Re-Rolled patch from #46 against 11.x head.

  • Pipeline finished with Canceled
    2 months ago
    Total: 223s
    #143588
  • Status changed to Needs work 2 months ago
  • The Needs Review Queue Bot tested this issue.

    While you are making the above changes, we recommend that you convert this patch to a merge request . Merge requests are preferred over patches. Be sure to hide the old patch files as well. (Converting an issue to a merge request without other contributions to the issue will not receive credit.)

  • Pipeline finished with Failed
    2 months ago
    Total: 991s
    #143596
  • First commit to issue fork.
  • Pipeline finished with Failed
    3 days ago
    Total: 542s
    #198079
  • Pipeline finished with Failed
    3 days ago
    Total: 588s
    #198099
  • Pipeline finished with Success
    3 days ago
    Total: 510s
    #198105
  • Addressed the test failures & pipeline passed

    Please review , moved NR

  • Status changed to Needs review 3 days ago
Production build 0.69.0 2024