Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Module list page is not XSS safe. It doesn't escape script mentioned in description key of the info.yml.
Comment | File | Size | Author |
---|---|---|---|
#1 | 2527544-1.patch | 988 bytes | joshi.rohit100 |
Comments
Comment #1
joshi.rohit100Also same is true for themes. Don't know should be here or in seperate issue.
Comment #2
dawehnerWell, you know, if you control the info file, you can change PHP, which then the info file is the smallest problem you have.
Comment #3
cilefen CreditAttribution: cilefen commentedIs this a real problem? YAML files count as code, right? If this requires a malicious module then it could be prevented but it is not major.
Comment #4
joshi.rohit100Well my concern is for the site builders who don't know about PHP (programming). What if they install (download) a module by using UI and that contrib module contains malicious script / code in info. Then they will need help from some developer.
Comment #5
naveenvalechaThere are chances with the custom modules but regarding the contrib modules there are not any chances that they will contain the malicious code in them. Even though we consider the Readme files in contributed modules as trustable b/c it is provided by modules. AFAIT in project applications reviews we tell Readme file which is provided by module is trustable.Regarding the .info.yml file in modules are also trustable.So this case will not appear with contributed modules.
This case can happens with custom/sandbox modules. So if its the case with custom/sandbox modules I'm agree on sanitizing the module description.
It is also recommended to not use sandbox modules on the production websites and if they are using it then at their own risk.
Note : /me not agree on sanitizing the description text because its coming from trustable source.
Comment #6
cilefen CreditAttribution: cilefen commentedArguably, there is no reason not to sanitize these but the threat model is so small this should be normal priority. #2 made the point that if you have a malicious YAML file you could also have malicious PHP and how would this help then?
Comment #7
mgiffordPatch needs re-roll.
Comment #16
quietone CreditAttribution: quietone as a volunteer commentedThis is a duplicate of an earlier issue, #637538: Module and theme names are not filtered on output.
Comment #17
quietone CreditAttribution: quietone as a volunteer commented