Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.While using a custom template file, using $title variable caused an XSS vulnerability.
Suggesting this patch to prevent it from happening elsewhere.
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | 2592143-3--template_title_sanitization.patch | 551 bytes | drunken monkey |
| preventing-custom-xss-1.patch | 1.22 KB | Moo64c | |
Comments
Comment #2
Moo64c CreditAttribution: Moo64c at Gizra commentedComment #3
drunken monkeyThanks for reporting this problem!
While I'm pretty sure yours is the correct way to do this (I'm unfortunately not very good with the theming layer), I'm not sure whether we can easily introduce such a change in this part of the code at this point. After all, this might break the code of other people who are overriding this template. (And, unfortunately, nobody reads release notes, as you are probably aware.) So, before really changing this, I'd at least need feedback from other people who would be in favor of this change.
What we should in any case do, though, is more clearly documenting that the
$titlevariable is unsanitized.(Also, in case we do change the variables, we should probably take the opportunity to fix the variable list in
hook_theme().)Comment #5
drunken monkeyWould have been great to get further feedback, but I guess a one-line comment change patch can also not really break anything.
So, committed. Please re-open if you have any other suggestions.