Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
There are several potential problems when variables are put onto the screen:
- You miss to escape it in the first place
- You escape it twice
The code
// Switch the title on a per-service basis if required.
// $mtitle = $mtitle;.
switch ($service_code_name) {
case 'twitter':
$mtitle = empty($data_options['twitter_suffix']) ? $mtitle : Html::escape($mtitle) . ' ' . Html::escape($data_options['twitter_suffix']);
break;
}
seems to escape in one case, but not in the other.
In other words, we maybe have no escaping (a potential security problem) or double escaping, which deals to annoying "
quotes.
Proposed resolution
- Validate by putting some simple JS into these title, whether the Drupal Attribute functionality escapes automatically
- In case it doesn't, the first condition in the code above needs to be escaped
- Otherwise the other escapes might be redundant
Remaining tasks
User interface changes
API changes
Data model changes
Comment | File | Size | Author |
---|---|---|---|
#3 | 2769907-consistent-escapes.patch | 672 bytes | Greg Boggs |
|
Comments
Comment #2
naveenvalecha.
Comment #3
Greg BoggsI believe since these come from an options element, you can't submit JavaScript in these fields. So, I think it's impossible to put HTML in and you don't really need the escapes, but I am not certain. So, here's a patch with consistent escapes to play it safe.
Comment #4
Greg BoggsComment #5
naveenvalechaFair enough. Committed and pushed to 8.x-2.x