Yes, another silly but necessary needed filter for a field that's only filled by default by users with 'administer users'! The user edit page is susceptible to XSS by really mean people who enter JS in the picture guidelines at admin/config/people/accounts.

Steps to reproduce:
1) Enter malicious JS in the picture guidelines form at the Account settings page
2) See the JS executed at a user edit page

CommentFileSizeAuthor
#1 779430-user-pic-guidelines-xss.patch1.17 KBcoltrane
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

coltrane’s picture

coltrane
he/him
CreditAttribution: coltrane commented
Status: Active » Needs review
FileSize
779430-user-pic-guidelines-xss.patch1.17 KB

Patch wraps pic guidelines in filter_xss_admin()

coltrane’s picture

coltrane
he/him
CreditAttribution: coltrane commented
Issue tags: +Security improvements
mr.baileys’s picture

mr.baileys
Primary language Dutch
Location 🇧🇪 (Ghent)
CreditAttribution: mr.baileys commented
Category: task » bug
Status: Needs review » Reviewed & tested by the community
Issue tags: +quickfix

I agree. I don't think there are valid reasons for embedding scripts in the picture submission guidelines, so running it through filter_xss_admin() is the sensible thing to do.

Confirmed the bug, reviewed the patch, applied the patch, tested the patch, RTBC.

meba’s picture

meba CreditAttribution: meba commented

Looks good to me.

meba’s picture

meba CreditAttribution: meba commented
Priority: Normal » Critical

And btw., this is Security, therefore critical.

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Committed to CVS HEAD. Thanks.

Status: Fixed » Closed (fixed)
Issue tags: -Security improvements, -quickfix

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue tags: +Security improvements, +

Restoring issue tags, see #2125755: System messages removed all issue tags during D7 upgrade.