The revision unpublish form outputs the node title using !placeholder in t() so it is vulnerable to XSS. There are also PHP strict issues when using drupal_render(drupal_get_form()) as you have to separate the calls out since drupal_render() expects a reference.

CommentFileSizeAuthor
#4 1093722-wbmod-xss-misc.patch7.02 KBDave Reid
#2 1093722-wbmod-xss-misc.patch7.02 KBDave Reid
#1 1093722-wbmod-xss-misc.patch7.94 KBDave Reid
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Dave Reid’s picture

Dave Reid
he/him
Primary language English
Location Nebraska USA
CreditAttribution: Dave Reid commented
Status: Active » Needs review
FileSize
1093722-wbmod-xss-misc.patch7.94 KB
Dave Reid’s picture

Dave Reid
he/him
Primary language English
Location Nebraska USA
CreditAttribution: Dave Reid commented
FileSize
1093722-wbmod-xss-misc.patch7.02 KB

Without debugging code this time.

stevector’s picture

stevector
he/him
CreditAttribution: stevector commented

Thanks Dave. I patched my version and everything seemed fine. Anyone else want to test this before moving it in?

Dave Reid’s picture

Dave Reid
he/him
Primary language English
Location Nebraska USA
CreditAttribution: Dave Reid commented
FileSize
1093722-wbmod-xss-misc.patch7.02 KB

Found a bug with the change of placeholder replacements. This one should be good to roll.

muriqui’s picture

muriqui CreditAttribution: muriqui commented

Patch works for me. Messages look good, annoying strict warnings are gone.

Dave Reid’s picture

Dave Reid
he/him
Primary language English
Location Nebraska USA
CreditAttribution: Dave Reid commented
Status: Needs review » Fixed

Committed to Git.
http://drupalcode.org/project/workbench_moderation.git/commit/c316125

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.