Block Menu doesn't appear to escape the special chars for the block title. This means that characters such as "&" do not get changed to "&" causing a validation error. More seriously, it means that <script>alert("hi there");</script> will execute.
To recreate:
- Use menu block with Primary links level 2+ menu block.
- Create primary menu item with title which includes javascript.
- Add child menu item, so that menu block appears when parent selected.
- Select parent item; script executes.
I don't know if this could ever be a problem in the real world. You'd need a website that allows users to create menus that produced menu blocks with a root at a user level. I suppose it's possible.
Comments
Comment #1
JohnAlbinI believe the validation/special chars escaping is a bug in Drupal core.
The XSS is definitely all mine. Thanks for finding this!
See SA-CONTRIB-2010-031 - Menu Block - Cross Site Scripting (XSS)
Comment #2
imonemus CreditAttribution: imonemus commentedJust to let you know, since the fix, special chars are indeed escaping (at least '&' becomes '&').
Thanks for doing this.
Comment #3
JohnAlbinOh! Well, yay! :-)
Again, thanks for the report!