Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hi.
I was told that if I don't validate the fields in the form people can use different characters and hack into the site.
Is there any truth in this?
Thanks.
Shay
Comment | File | Size | Author |
---|---|---|---|
#5 | Screen Shot 2015-11-09 at 6.11.02 pm.png | 53.6 KB | dman |
Comments
Comment #1
dman CreditAttribution: dman commentedForm entries are a possible vector, but it all depends on what you do with the data once it's submitted.
It's not so much about "validation" as it is sanitizing.
Don't trust submitted data to pass directly to a database Query - which is why Drupal always uses the DB abstraction layer to ensure it's safe.
Don't reflect the text a user enters directly back to them without checking for XSS dangers like script tags. This is why Drupal uses input filters that limit a users ability to use markup.
There are other, more unlikely issues, but any security can be broken if you code without care. Drupal code includes a lot of protection and best-practices - if used correctly.
Comment #2
quicksketchWebform should protect you as long as there aren't any grave mistakes in the configuration of your website (such as allowing users to use Full HTML input filters or simply poorly set user permissions at admin/user/permissions). Closing after lack of activity.
Comment #3
yaach CreditAttribution: yaach commentedSorry to reopen this but I need little clarification on this.
I recently created a multi-page form and as my last step in order to put it live I did some blackbox testing against the form. One of my tests was for XSS, I entered a script with an alert in a textarea field. The form submitted normally without any complains or errors, but then when I went to edit the submission the alert pop up.
I thought Webform and Drupal were checking for XSS. Am I forgetting to configure any settings so that fields do not allow scripts to be inserted?
Thanks
Comment #4
yaach CreditAttribution: yaach commentedComment #5
dman CreditAttribution: dman as a volunteer commentedOn an unconfigured site, adding a textfield to a webform produces untrusted, and therefor 'escaped' HTML markup.
It's been passed through the XSS filter.
If you are getting something else, it would probably help if you provided exact steps to replicate.
I
* Enabled webform on an empty site
* Added a new form
* Added a new 'textfield' component, leaving all options default
* Submitted a new form submission, containing javascript as the value.
* Viewed the result, /node/2/submission/1 , viewed the 'edit' result page and clicked around.
* Saw only the escaped rendering on the javascript, it did not trigger.
If that's not happening for you, there may be some other interaction happening that is specific to your site.
Comment #6
DanChadwick CreditAttribution: DanChadwick commentedLet's not have discussion in a 6 year old issue relating to an entirely different version. If there is still a problem, please open a new issue. If you have correctly configured your site, have not adjusted your allowed webform tags in settings.php, and have not grated permission to something like Full HTML, you should open a security issue instead. I am, however, pretty darn sure that webform does not currently have an XSS vulnerability in this area.