When editing "in place" a field, if the field label contains HTML it is not sanitized and malicious code may be executed (but "Administer content types" permission is required, which should be given only to trusted administrators).

#2 1889376-field_label_checkplain-1.patch878 bytesWim Leers
PASSED: [[SimpleTest]]: [MySQL] 50,788 pass(es). View
Members fund testing for the Drupal project. Drupal Association Learn more


grisendo’s picture

Title: Label not sanitized » Edit module: Field label not sanitized
Wim Leers’s picture

Assigned: Unassigned » Wim Leers
Status: Active » Needs review
878 bytes
PASSED: [[SimpleTest]]: [MySQL] 50,788 pass(es). View

Simple fix; this is in line with what Field.module does in core/modules/field/lib/Drupal/field/Plugin/Type/Widget/WidgetBase.php:

'#title' => check_plain($instance['label']),

As the issue summary indicates, this is only a problem when malicious users have the administer content types permission.

Wim Leers’s picture

Title: Edit module: Field label not sanitized » Field label not sanitized
swentel’s picture

Status: Needs review » Reviewed & tested by the community

Looks good

webchick’s picture

Status: Reviewed & tested by the community » Fixed

That is un-good! Nice catch, grisendo!

Committed and pushed to 8.x. Thanks!

grisendo’s picture

Sorry! Wrong post :P (and I can't delete this comment).

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.