Block Menu doesn't appear to escape the special chars for the block title. This means that characters such as "&" do not get changed to "&" causing a validation error. More seriously, it means that <script>alert("hi there");</script> will execute.

To recreate:

- Use menu block with Primary links level 2+ menu block.
- Create primary menu item with title which includes javascript.
- Add child menu item, so that menu block appears when parent selected.
- Select parent item; script executes.

I don't know if this could ever be a problem in the real world. You'd need a website that allows users to create menus that produced menu blocks with a root at a user level. I suppose it's possible.

Comments

JohnAlbin’s picture

JohnAlbin
he/they/他
Primary language English
Location Taipei, Taiwan
CreditAttribution: JohnAlbin commented
Status: Active » Fixed

I believe the validation/special chars escaping is a bug in Drupal core.

The XSS is definitely all mine. Thanks for finding this!

See SA-CONTRIB-2010-031 - Menu Block - Cross Site Scripting (XSS)

imonemus’s picture

imonemus CreditAttribution: imonemus commented

Just to let you know, since the fix, special chars are indeed escaping (at least '&' becomes '&amp;').

Thanks for doing this.

JohnAlbin’s picture

JohnAlbin
he/they/他
Primary language English
Location Taipei, Taiwan
CreditAttribution: JohnAlbin commented

Oh! Well, yay! :-)

Again, thanks for the report!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.