Problem/Motivation

This module has a XSS vulnerability in translatable texts.

Steps to reproduce

  1. Enable the module.
  2. As a user with "translate tarte au citron" permission, browse to /admin/config/tarte_au_citron/edit-texts
  3. In the "This website does not use any cookie requiring your consent." field, add <img src="x" onerror="alert('foo')">
  4. This string is then injected by tarteaucitron.js in an element's innerHTML so when the cookie banner is displayed, the JS in "onerror" is executed.

Proposed resolution

I see two potential solutions:

  • Use Xss::filterAdmin() on the strings to sanitize them.
  • Add restrict access to the permission to indicate that it should only be given to trusted users.
Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

prudloff created an issue. See original summary.

klelostec made their first commit to this issue’s fork.

klelostec’s picture

Status: Active » Fixed

Thanks a lot @prudloff.

I fixed this using the Xss::filterAdmin() solution which seems better to me.
This one prevents a malicious user from being able to exploit the XSS vulnerability if he is able to login with a user assigned to roles which are granted to the permission.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

klelostec’s picture

Issue tags: -Security
klelostec’s picture

Issue tags: +Security
klelostec’s picture

Status: Closed (fixed) » Fixed
klelostec’s picture

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.