See http://api.drupal.org/api/drupal/includes%21common.inc/function/format_u...

Return value

An unsanitized string with the username to display. The code receiving this result must ensure that check_plain() is called on it before it is printed to the page.

See includes/login_history.admin.inc:
http://drupalcode.org/project/login_history.git/blob/refs/heads/7.x-1.x:...
http://drupalcode.org/project/login_history.git/blob/refs/heads/7.x-1.x:...

This issue is safe to be reported in public since this module has no official public release and only a dev release. This issue should block a stable release of this module because if this is not fixed then this requires an official security announcement to fix.

CommentFileSizeAuthor
#2 1580798_loginhistory_xss_formatusername.patch1.92 KBgreggles

Comments

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented
Issue summary: View changes

Adding note about blocking stable release.

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented
Issue tags: +D7 stable release blocker
greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Status: Active » Needs review
StatusFileSize
new 1580798_loginhistory_xss_formatusername.patch1.92 KB

Something like this?

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Status: Needs review » Fixed

http://drupalcode.org/project/login_history.git/commit/8fb0634

Thanks, Dave!

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented

I won't tell anyone that this patch was needed. It'll be our secret!

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

(not verified) commented
Issue summary: View changes

Spelling error.