Yes, another silly but necessary needed filter for a field that's only filled by default by users with 'administer users'! The user edit page is susceptible to XSS by really mean people who enter JS in the picture guidelines at admin/config/people/accounts.
Steps to reproduce:
1) Enter malicious JS in the picture guidelines form at the Account settings page
2) See the JS executed at a user edit page
Comment | File | Size | Author |
---|---|---|---|
#1 | 779430-user-pic-guidelines-xss.patch | 1.17 KB | coltrane |
Comments
Comment #1
coltranePatch wraps pic guidelines in filter_xss_admin()
Comment #2
coltraneComment #3
mr.baileysI agree. I don't think there are valid reasons for embedding scripts in the picture submission guidelines, so running it through filter_xss_admin() is the sensible thing to do.
Confirmed the bug, reviewed the patch, applied the patch, tested the patch, RTBC.
Comment #4
meba CreditAttribution: meba commentedLooks good to me.
Comment #5
meba CreditAttribution: meba commentedAnd btw., this is Security, therefore critical.
Comment #6
Dries CreditAttribution: Dries commentedCommitted to CVS HEAD. Thanks.