Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When customizing the dashboard, theme_dashboard_disabled_block($variables)
does not properly sanitize the user-supplied block titles before outputting them, allowing users with "View the administrative dashboard ", "administer blocks" and "Use the administration pages and help" to embed scripts in block titles.
Patch runs the output through check_plain for custom titles, similar to how block.module
handles these.
Comment | File | Size | Author |
---|---|---|---|
#5 | dashboard_xss_block_title_688100_5.patch | 824 bytes | scor |
#2 | dashboard_xss_block_title.patch | 938 bytes | mr.baileys |
Comments
Comment #1
mr.baileysPatch didn't make it in OP.
Comment #2
mr.baileysHmrph. For some reason the link above links to the d.o. front page instead of my file. One more attempt to upload the file...
Comment #3
catchLooks good, nice find! Marking RTBC and tagging for sec team.
Comment #4
Dries CreditAttribution: Dries commentedDon't we need to escape block info too?
Comment #5
scor CreditAttribution: scor commentedright, a custom block with an XSS description and no title also triggers the same XSS.
Comment #6
mr.baileysCorrect. I mistakingly assumed that $block['info'] would always be defined by modules.
Comment #7
scor CreditAttribution: scor commentedthat's an easy one to RTBC, now that the testbot gave a green light. anyone?
Comment #8
catchYep, looks good now, if my previous rtbc doesn't invalidate this one :)
Comment #9
Dries CreditAttribution: Dries commentedCommitted to CVS HEAD. Thanks.