If filter formats contain HTML, that HTML is not properly escaped. This would theoretically be an XSS attack vector if it were not for the fact that someone with permission to 'administer filters' can already execute XSS attacks as much as they like. In a more benign version, this is a bug because it will break the page HTML if, say, a trailing < is included in the filter name. The attached patch solves the problem by check_plain()'ing the filter name. Note that the filter name was already check_plain()'d in the select list, so it's not like filters were supposed to be able to have HTML in them.
Comment | File | Size | Author |
---|---|---|---|
filter_check_plain_01.patch | 946 bytes | cwgordon7 | |
Comments
Comment #1
marcingy CreditAttribution: marcingy commentedSeems simple and straight forward enough.
Comment #2
Dries CreditAttribution: Dries commentedGood catch. Committed to CVS HEAD.
Comment #3
David_Rothstein CreditAttribution: David_Rothstein commentedI think this patch only got one of many such instances - note that there is an open issue at #779374: XSS via text format names trying to fix all of them....