XSS in comment-wrapper.tpl.php [#1436286]

The newly added $labels['form_label'] and $labels['section_label'] need to be escaped in the comment-wrapper.tpl.php template file.

To reproduce, switch to stark or any theme which does not override core's comment-wrapper.tpl.php and inject some XSS in either the Comment section label or the New comment form label on the content type edit form, such as Comments <script>alert('section')</script>.

Given that this vulnerability requires the 'administer content types' permission, it does not need to go through the regular security team process.

Comment	File	Size	Author
#1	1436286-1.patch	660 bytes	pwolanin

Comments

Comment #1

pwolanin commented 20 April 2012 at 15:13

Status:

Active

» Needs review

Status	File	Size
new	1436286-1.patch	660 bytes

should be made safe in preprocess

Comment #2

pwolanin commented 20 April 2012 at 16:30

Status:

Needs review

» Reviewed & tested by the community

scor confirmed in IRC that the fix looks right.

Comment #3

pwolanin commented 20 April 2012 at 16:32

Status:

Reviewed & tested by the community

» Fixed

committed

Comment #4

jessebeach commented 20 April 2012 at 17:05

Status:

Fixed

» Closed (fixed)

In the 7.x-1.x branch. To be included in an upcoming release.

XSS in comment-wrapper.tpl.php

Comments

Comment #1

Comment #2

Comment #3

Comment #4

News items

Our community

Documentation

Drupal code base

Governance of community