Port form_select_options() XSS fix from SA-CORE-2014-003 [#2304965]

See https://www.drupal.org/SA-CORE-2014-003

Patch from D7:

diff --git a/includes/form.inc b/includes/form.inc
index 846bcb5..3840885 100644
--- a/includes/form.inc
+++ b/includes/form.inc
@@ -2722,7 +2722,7 @@ function form_select_options($element, $choices = NULL) {
   $options = '';
   foreach ($choices as $key => $choice) {
     if (is_array($choice)) {
-      $options .= '<optgroup label="' . $key . '">';
+      $options .= '<optgroup label="' . check_plain($key) . '">';
       $options .= form_select_options($element, $choice);
       $options .= '</optgroup>';
     }

Comment	File	Size	Author
#5	2304965-optgroup-xss-FAIL.patch	1.79 KB	longwave
#5
#5	2304965-optgroup-xss-PASS.patch	2.33 KB	longwave
#5
#2	2304965-optgroup-xss.patch	546 bytes	longwave
#2

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

klausi

he/him||they/them

German

🇦🇹 Vienna

CreditAttribution: klausi commented 17 July 2014 at 10:35

Issue tags:

+Security Advisory follow-up

Comment #2

longwave

he/him

English

CreditAttribution: longwave commented 17 July 2014 at 21:22

Status:

Active

» Needs review

File	Size
2304965-optgroup-xss.patch	546 bytes

Comment #3

larowlan

🇦🇺🏝.au GMT+10

CreditAttribution: larowlan commented 17 July 2014 at 21:39

Status:

Needs review

» Reviewed & tested by the community

assuming bot agrees

Comment #4

klausi

he/him||they/them

German

🇦🇹 Vienna

CreditAttribution: klausi commented 17 July 2014 at 21:43

Status:	Reviewed & tested by the community	» Needs work
Issue tags:		+Needs tests

I know there is not test case in D7, but we should do it properly here.

Comment #5

longwave

he/him

English

CreditAttribution: longwave commented 17 July 2014 at 22:11

Status:	Needs work	» Needs review
Issue tags:	-Needs tests

File	Size
2304965-optgroup-xss-PASS.patch	2.33 KB

2304965-optgroup-xss-FAIL.patch	1.79 KB

1 file was hidden/shown/deleted

File	Size
2304965-optgroup-xss.patch	546 bytes

Comment #6

larowlan

🇦🇺🏝.au GMT+10

CreditAttribution: larowlan commented 17 July 2014 at 22:20

Status:

Needs review

» Reviewed & tested by the community

thanks

Comment #7

17 July 2014 at 22:51

Status:

Reviewed & tested by the community

» Needs work

The last submitted patch, 5: 2304965-optgroup-xss-FAIL.patch, failed testing.

Comment #8

klausi

he/him||they/them

German

🇦🇹 Vienna

CreditAttribution: klausi commented 17 July 2014 at 22:57

Status:

Needs work

» Reviewed & tested by the community

Failed as expected, back to RTBC.

Comment #9

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott commented 18 July 2014 at 07:52

Status:

Reviewed & tested by the community

» Fixed

Committed c05668e and pushed to 8.x. Thanks!

Comment #10

18 July 2014 at 07:55

alexpott committed c05668e on 8.x

Issue #2304965 by longwave | klausi: Fixed Port form_select_options()...

Comment #11

12 August 2014 at 23:50

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Port form_select_options() XSS fix from SA-CORE-2014-003

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community