Problem/Motivation

The readmoreLink setting is vulnerable to a XSS vulnerability.

Steps to reproduce

Use this config:

moreInfoLink: true
readmoreLink: '"><img src="x" onerror="alert(''foo'')">'

tarteaucitron.js does not sanitize the value before using it in the href attribute.

Proposed resolution

Html::escape() could be used to sanitize the string.

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

prudloff created an issue. See original summary.

prudloff’s picture

Html::escape() might not be enough, UrlHelper::filterBadProtocol() is probably the correct solution here.

klelostec made their first commit to this issue’s fork.

klelostec’s picture

Status: Active » Fixed
Issue tags: -Security
klelostec’s picture

Issue tags: +Security
klelostec’s picture

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.