XSS vulnerability in readmoreLink setting [#3372664]

Problem/Motivation

The readmoreLink setting is vulnerable to a XSS vulnerability.

Steps to reproduce

Use this config:

moreInfoLink: true
readmoreLink: '"><img src="x" onerror="alert(''foo'')">'

tarteaucitron.js does not sanitize the value before using it in the href attribute.

Proposed resolution

Html::escape() could be used to sanitize the string.

Issue fork tarte_au_citron-3372664

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

3372664-readmoreLink-settings-xss changes, plain diff MR !8
Check out this branch for the first time

Check out existing branch, if you already have it locally

About issue forks

Comments

Comment #1

5 July 2023 at 20:04

prudloff created an issue. See original summary.

Comment #2

prudloff commented 11 July 2023 at 08:08

Html::escape() might not be enough, UrlHelper::filterBadProtocol() is probably the correct solution here.

Comment #3

28 August 2023 at 12:09

klelostec made their first commit to this issue’s fork.

Comment #4

28 August 2023 at 15:33

klelostec opened merge request !8

Comment #5

klelostec commented 28 August 2023 at 17:36

Status:	Active	» Fixed
Issue tags:	-Security

Comment #6

klelostec commented 29 August 2023 at 08:35

Issue tags:

+Security

Comment #7

klelostec commented 29 August 2023 at 08:36

Comment #8

12 September 2023 at 08:39

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

XSS vulnerability in readmoreLink setting