If filter formats contain HTML, that HTML is not properly escaped. This would theoretically be an XSS attack vector if it were not for the fact that someone with permission to 'administer filters' can already execute XSS attacks as much as they like. In a more benign version, this is a bug because it will break the page HTML if, say, a trailing < is included in the filter name. The attached patch solves the problem by check_plain()'ing the filter name. Note that the filter name was already check_plain()'d in the select list, so it's not like filters were supposed to be able to have HTML in them.

CommentFileSizeAuthor
filter_check_plain_01.patch946 bytescwgordon7
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

marcingy’s picture

marcingy CreditAttribution: marcingy commented
Status: Needs review » Reviewed & tested by the community

Seems simple and straight forward enough.

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Good catch. Committed to CVS HEAD.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented

I think this patch only got one of many such instances - note that there is an open issue at #779374: XSS via text format names trying to fix all of them....

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.