Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
It's possible that user input could be passed into the confirm form message, or into any of the strings used by batch_set(), so to be safe we should sanitize against XSS.
This is essentially a backport of a very small subset the changes proposed here: http://drupal.org/node/242873
see attached for my analysis which suggests that there is currently no apparent security hole due to batch_set() in the contributed modules.
Comment | File | Size | Author |
---|---|---|---|
#1 | sanitize-batch-confirm-262514-1.patch | 3.23 KB | pwolanin |
batch_set.txt | 11.56 KB | pwolanin |
Comments
Comment #1
pwolanin CreditAttribution: pwolanin commentedHere's the patch - uses filter_xss() or filter_admin_xss().
Comment #2
pwolanin CreditAttribution: pwolanin commentedper Heine - we should improve the doxygen, but oterwise trust these strings.
Comment #3
dpearcefl CreditAttribution: dpearcefl commentedDoes this issue exist in current D6?
Comment #4
dpearcefl CreditAttribution: dpearcefl commentedWe want your patch if it is still needed. Please resubmit it.