Follow-up to #2564283: Remove use of SafeMarkup::checkPlain() from adminSummary() and adminLabel() in views plugins
Part of #2545972: Remove all code usages SafeMarkup::checkPlain() and rely more on Twig autoescaping
While trying to reproduce double escaping from #2564283: Remove use of SafeMarkup::checkPlain() from adminSummary() and adminLabel() in views plugins I found an actual alert(), which is rare consider we escape things like gangbusters.
- Steps, add a plain text single value "field_alert" with
<script>alert('Title');</script>
in every field possible on article. - Go to the admin content view and add that new field as a filter.
- As soon as you click the checkbox, boom right in the kisser
Will try to figure out where that is coming from.
Comment | File | Size | Author |
---|---|---|---|
#2 | escaped_markup_with-2567673-2.patch | 591 bytes | joelpittet |
Comments
Comment #2
joelpittetHere's a fix. use $.html() so that the escaped HTML value is gathered instead of the preresentation when attempting to put back into HTML (alternative is to re-escape in JS)
Comment #3
joelpittetComment #4
lauriiiTested this manually using the steps to reproduce in the issue summary. I can reproduce the problem and this patch fixes the issue.
Comment #7
lauriiiIt seems like PIFR is having a hard time.. Very unrelated test fails because of this is a JS only patch.
Comment #8
alexpottYeah .text() is super dangerous will escaped text. This is not the first time see #2513646: Role name is unescaped on block admin via JS and #2512478: XSS on field edit form via label field via ckeditor.
Comment #9
alexpottCommitted dc2be10 and pushed to 8.0.x. Thanks!
Comment #11
chx CreditAttribution: chx commented> Yeah .text() is super dangerous will escaped text. This is not the first time
Wow! Why is this issue, an actual security hole not critical...? If this is not the first time, what are we doing, API, documentation, i-do-not-know to avoid a next time / contrib / custom?
Comment #12
dawehnerFor this particular issue you need "administer $entity_type fields", which is at least restricted, but yeah I totally agree that $.text() is a BFM (big fucking mess).