Problem/Motivation

The drupal_youtube service does not sanitize attribute values and is vulnerable to an XSS vulnerability.

Steps to reproduce

  1. Enable the drupal_youtube service.
  2. Create a text format that allows div tags with class and data-width attributes (but not the data-onload attribute).
  3. Create a node using this text format and insert this HTML in the field:
      <div class="youtube_player" data-width="&quot; onload=&quot;alert(`xss`);&quot;">Foo</div>
  4. The width attribute is not sanitized when building the iframe so the onload attribute is injected (thus bypassing the attribute restrictions from the text format).

Proposed resolution

I think Drupal.checkPlain() can be used to sanitize the attribute.
But the best practice is probably to build the iframe with DOM functions like createElement() and setAttribute().

Issue fork tarte_au_citron-3374121

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

prudloff created an issue. See original summary.

prudloff’s picture

prudloff commented

The drupal_vimeo service seems to be vulnerable as well.

klelostec made their first commit to this issue’s fork.

klelostec opened merge request !9

  • klelostec committed 0de1693e on 8.x-1.x 
    Resolve #3374121 "Xss drupal youtube service"
klelostec’s picture

klelostec commented
Status: Active » Fixed
Issue tags: -Security
klelostec’s picture

klelostec commented
Status: Fixed » Active
Issue tags: +Security
klelostec’s picture

klelostec commented
Status: Active » Fixed
klelostec’s picture

klelostec commented

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.