Problem/Motivation
This module uses the value of the data-settings attribute without sanitizing dangerous options.
Steps to reproduce
- Create a bundle with an image field that uses the Tiny Slider Carousel formatter.
- As an attacker who can insert HTML in the page, insert this HTML:
<div class="tiny-slider-wrapper" data-settings='{ "controlsText": ["<img src=x onerror=alert()>"] }'><span>XSS</span></div>
- When the page is displayed, the JS is executed.
This is mitigated by the fact the default CKE config does not allow data attributes.
However Xss::filter() allows data attributes and this method is used by various contrib modules to sanitize user inputs.
For example this can be reproduced with the html_title module:
1. Enable the module
2. Create a node with this title:
<sub class="tiny-slider-wrapper" data-settings='{ "controlsText": ["<img src=x onerror=alert()>"] }'><sub>XSS</sub></sub>
Proposed resolution
I wonder if calling Drupal.checkPlain() on every setting would work of if it could break some legitimate settings.
Remaining tasks
User interface changes
API changes
Data model changes
Comments
Comment #2
sourabhsisodia_ commentedComment #4
sourabhsisodia_ commentedComment #6
ipwa commentedThanks for your work @sourabhsisodia_,
@prudloff just had time to work on this appreciate your guidance and help with this :D
Comment #7
ipwa commented