Problem/Motivation

The module has a potential XSS vulnerability because it does not sanitize the value of alt attributes before using it as caption.

Steps to reproduce

Enable the ImageLightBox formatter on an image field.
Upload an image in this field and set this value as alternative text:

<img src=x onerror="alert()">

When clicking on the image, the malicious JS is executed.

Proposed resolution

captionReset() could use $captionObject.text() instead of $captionObject.html() to ensure the caption is sanitized.

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork imagelightbox-3518704

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

prudloff created an issue. See original summary.

piridium made their first commit to this issue’s fork.

piridium changed the visibility of the branch 3518704-xss-vulnerability-in to hidden.

piridium changed the visibility of the branch 3518704-xss-vulnerability-in to active.

piridium’s picture

piridium commented
Assigned: Unassigned » piridium

piridium opened merge request !8

  • piridium committed f0fb87a9 on 2.2.x 
    Issue #3518704 by piridium, prudloff: XSS vulnerability in alt attribute
piridium’s picture

piridium commented
Status: Active » Fixed
piridium’s picture

piridium commented

We just released imagelightbox 2.2.5 which includes the fix for this issue. Thanks @prudloff for reporting it.

piridium’s picture

piridium commented
Assigned: piridium » Unassigned

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.