Problem/Motivation

This module uses the value of the data-settings attribute without sanitizing dangerous options.

Steps to reproduce

  1. Create a bundle with an image field that uses the Tiny Slider Carousel formatter.
  2. As an attacker who can insert HTML in the page, insert this HTML:
  3.   <div class="tiny-slider-wrapper" data-settings='{ "controlsText": ["&lt;img src=x onerror=alert()&gt;"] }'><span>XSS</span></div>
      
  4. When the page is displayed, the JS is executed.

This is mitigated by the fact the default CKE config does not allow data attributes.
However Xss::filter() allows data attributes and this method is used by various contrib modules to sanitize user inputs.

For example this can be reproduced with the html_title module:
1. Enable the module
2. Create a node with this title:

<sub class="tiny-slider-wrapper" data-settings='{ "controlsText": ["&lt;img src=x onerror=alert()&gt;"] }'><sub>XSS</sub></sub>

Proposed resolution

I wonder if calling Drupal.checkPlain() on every setting would work of if it could break some legitimate settings.

Remaining tasks

User interface changes

API changes

Data model changes

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

prudloff created an issue. See original summary.

sourabhsisodia_’s picture

Assigned: Unassigned » sourabhsisodia_

sourabhsisodia_’s picture

Assigned: sourabhsisodia_ » Unassigned
Status: Active » Needs review

  • ipwa committed c6eaa463 on 1.1.x
    Issue #3545793 by sourabhsisodia_, prudloff, ipwa: XSS vulnerability
    
ipwa’s picture

Thanks for your work @sourabhsisodia_,

@prudloff just had time to work on this appreciate your guidance and help with this :D

ipwa’s picture

Status: Needs review » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.