Seven's template.php override of theme_admin_block_content() outputs a menu item's description without sanitizing. Core's theme_admin_block_content() runs through filter_xss_admin() so attached patch complies.

CommentFileSizeAuthor
seven-filter-menu-description.patch780 bytescoltrane
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

coltrane’s picture

coltrane
he/him
CreditAttribution: coltrane commented

We should be filtering and escaping before the theme system ...

coltrane’s picture

coltrane
he/him
CreditAttribution: coltrane commented
Status: Active » Needs review

Missed setting status.

cosmicdreams’s picture

cosmicdreams CreditAttribution: cosmicdreams commented

seven-filter-menu-description.patch queued for re-testing.

Status: Needs review » Needs work

The last submitted patch, seven-filter-menu-description.patch, failed testing.

aspilicious’s picture

aspilicious CreditAttribution: aspilicious commented
Status: Needs work » Needs review

seven-filter-menu-description.patch queued for re-testing.

coltrane’s picture

coltrane
he/him
CreditAttribution: coltrane commented
Priority: Normal » Critical

Marking critical since this has to be fixed before a 1.0 release.

seutje’s picture

seutje CreditAttribution: seutje commented
Issue tags: +Security improvements

makes sense to me, handing it to the security folks

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented
Status: Needs review » Reviewed & tested by the community

filter_xss_admin() is what we use in the theme_*() function so this just brings it into line.

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Committed to CVS HEAD.

Status: Fixed » Closed (fixed)
Issue tags: -Security improvements

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue tags: +Security improvements

Restoring issue tags, see #2125755: System messages removed all issue tags during D7 upgrade.