When editing "in place" a field, if the field label contains HTML it is not sanitized and malicious code may be executed (but "Administer content types" permission is required, which should be given only to trusted administrators).

Files: 
CommentFileSizeAuthor
#2 1889376-field_label_checkplain-1.patch878 bytesWim Leers
PASSED: [[SimpleTest]]: [MySQL] 50,788 pass(es).
[ View ]

Comments

grisendo’s picture

Title:Label not sanitized» Edit module: Field label not sanitized
Wim Leers’s picture

Assigned:Unassigned» Wim Leers
Status:Active» Needs review
StatusFileSize
new878 bytes
PASSED: [[SimpleTest]]: [MySQL] 50,788 pass(es).
[ View ]

Simple fix; this is in line with what Field.module does in core/modules/field/lib/Drupal/field/Plugin/Type/Widget/WidgetBase.php:

'#title' => check_plain($instance['label']),

As the issue summary indicates, this is only a problem when malicious users have the administer content types permission.

Wim Leers’s picture

Title:Edit module: Field label not sanitized» Field label not sanitized
swentel’s picture

Status:Needs review» Reviewed & tested by the community

Looks good

webchick’s picture

Status:Reviewed & tested by the community» Fixed

That is un-good! Nice catch, grisendo!

Committed and pushed to 8.x. Thanks!

grisendo’s picture

Sorry! Wrong post :P (and I can't delete this comment).

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.