Version: 7.x-2.x-dev
Risk: not critical

openlayers_ui does not sanitize title and descriptions for maps on admin/structure/openlayers/maps. Adding a new map on admin/structure/openlayers/maps/add with Map Description "<script>alert('XSS');</script>" demonstrates an XSS exploit.

Of course an attacker needs the "administer openlayers" permission to place a malicious script snippet there, so this is rather boring. The permission is not marked as restricted in hook_permission(), so this is a small security issue.

This has been discussed with the Drupal security team: this vulnerability can be fixed publicly as per because it affects a branch (or branches) of a project that does not have a "stable release".


zzolo’s picture

Thanks @klausi for catching that. I'll try to take care of it this week or next.

zzolo’s picture

Addressed in 6.x-2.x:
And in 7.x-2.x:

Security Team, can confirm that this fixes things, then I can do a release. Thanks.

zzolo’s picture

I have also set up two tags ready for release that basically only have the security fix on them.

zzolo’s picture

Status: Active » Fixed

Released and told Security Team.

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

Issue summary: View changes

Updated issue summary.