XSS vulnerability in administrative interface [#2541886]

Problem/Motivation

From the original report by @mr.baileys:

apologies, I found another XSS issue, this time in the Authcache Block submodule.

Create a custom block, embed <script> as part of the description, make sure the block is authcache-enabled, and visit admin/config/system/authcache/p13n (the markup substitution page). The script will be executed.

It's Less Critical, since it requires "Administer Blocks" to be exploited, but since core filters a block's description, and since "administer blocks" is not a restricted permission, it's probably best to fix it.

The same issue exists in Authcache Views (human readable view name) and Authcache Field (field label).

Proposed resolution

Use check_plain()

Remaining tasks

User interface changes

API changes

Data model changes

Comment	File	Size	Author
#1	xss_vulnerability_in-2541886-1.patch	2.25 KB	znerol

Comments

Comment #1

znerol commented 29 July 2015 at 07:29

Status:

Active

» Needs review

Status	File	Size
new	xss_vulnerability_in-2541886-1.patch	2.25 KB

Comment #2

29 July 2015 at 07:50

znerol committed becfa7b on 7.x-2.x

Issue #2541886 by mr.baileys, znerol: XSS vulnerability in...

Comment #3

znerol commented 29 July 2015 at 07:51

Status:

Needs review

» Fixed

Comment #4

12 August 2015 at 07:54

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

XSS vulnerability in administrative interface

Problem/Motivation

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Comments

Comment #1

Comment #2

Comment #3

Comment #4

News items

Our community

Documentation

Drupal code base

Governance of community