It's possible that user input could be passed into the confirm form message, or into any of the strings used by batch_set(), so to be safe we should sanitize against XSS.

This is essentially a backport of a very small subset the changes proposed here: http://drupal.org/node/242873

see attached for my analysis which suggests that there is currently no apparent security hole due to batch_set() in the contributed modules.

CommentFileSizeAuthor
#1 sanitize-batch-confirm-262514-1.patch3.23 KBpwolanin
batch_set.txt11.56 KBpwolanin
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Status: Active » Needs review
FileSize
sanitize-batch-confirm-262514-1.patch3.23 KB

Here's the patch - uses filter_xss() or filter_admin_xss().

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Status: Needs review » Needs work

per Heine - we should improve the doxygen, but oterwise trust these strings.

dpearcefl’s picture

dpearcefl CreditAttribution: dpearcefl commented
Status: Needs work » Postponed (maintainer needs more info)

Does this issue exist in current D6?

dpearcefl’s picture

dpearcefl CreditAttribution: dpearcefl commented
Status: Postponed (maintainer needs more info) » Needs work

We want your patch if it is still needed. Please resubmit it.

Status: Needs work » Closed (outdated)

Automatically closed because Drupal 6 is no longer supported. If the issue verifiably applies to later versions, please reopen with details and update the version.