When editing "in place" a field, if the field label contains HTML it is not sanitized and malicious code may be executed (but "Administer content types" permission is required, which should be given only to trusted administrators).

#2 1889376-field_label_checkplain-1.patch878 bytesWim Leers
PASSED: [[SimpleTest]]: [MySQL] 50,788 pass(es).
[ View ]


grisendo’s picture

Title:Label not sanitized» Edit module: Field label not sanitized
Wim Leers’s picture

Assigned:Unassigned» Wim Leers
Status:Active» Needs review
new878 bytes
PASSED: [[SimpleTest]]: [MySQL] 50,788 pass(es).
[ View ]

Simple fix; this is in line with what Field.module does in core/modules/field/lib/Drupal/field/Plugin/Type/Widget/WidgetBase.php:

'#title' => check_plain($instance['label']),

As the issue summary indicates, this is only a problem when malicious users have the administer content types permission.

Wim Leers’s picture

Title:Edit module: Field label not sanitized» Field label not sanitized
swentel’s picture

Status:Needs review» Reviewed & tested by the community

Looks good

webchick’s picture

Status:Reviewed & tested by the community» Fixed

That is un-good! Nice catch, grisendo!

Committed and pushed to 8.x. Thanks!

grisendo’s picture

Sorry! Wrong post :P (and I can't delete this comment).

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.