Properly sanitize user-defined dropzone message [#2854175]

Dropzone area message is not rendered through the Twig, which means that it is not automatically sanitized. I tried to exploit it, but it seems that any Javascript code injected into it won't fire.

I think that we should escape the text nonetheless.

Problem is mitigated by the fact that one needs administrative permission to potentially exploit it.

Comment	File	Size	Author
#2	2854175_2.patch	884 bytes	slashrsm

Comments

Comment #1

20 February 2017 at 13:31

slashrsm created an issue. See original summary.

Comment #2

slashrsm commented 20 February 2017 at 13:33

Issue summary:	View changes
Status:	Active	» Needs review

Status	File	Size
new	2854175_2.patch	884 bytes

Comment #3

20 February 2017 at 13:38

Primsi committed 9e1f51b on 8.x-1.x authored by slashrsm

Issue #2854175 by slashrsm: Properly sanitize user-defined dropzone...

Comment #4

primsi commented 20 February 2017 at 13:38

Status:

Needs review

» Fixed

Committed, thanks.

Comment #5

6 March 2017 at 13:44

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Properly sanitize user-defined dropzone message

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

News items

Our community

Documentation

Drupal code base

Governance of community