The theme reaction makes section_title and section_subtitle available to page.tpl.php but doesn't wrap them in check_plain, which means those vars could contain malicious data.

Comments

febbraro’s picture

subscribe

jmiccolis’s picture

Status: Active » Fixed

Thanks for the patch, it has been committed.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

jmiccolis’s picture

Version: 7.x-3.0-alpha2 » 6.x-3.x-dev
Assigned: Unassigned » jmiccolis
Status: Closed (fixed) » Patch (to be ported)

I birdy told me that this may also need to be fixed in 6.x

coltrane’s picture

Section class should also be sanitized because a value of "><script>alert('class');</script><-- can escape the class attribute and get JS executed.

Note: this issue has been cleared by the Security Team because the permission 'administer site configuration' is required to enter malicious JS into these fields

Steven Jones’s picture

Patches for 6.x-2.x and 6.x-3.x attached.

jmiccolis’s picture

Status: Patch (to be ported) » Fixed

I've applied the 3.x patch and Steven applied the 2.x one.

Thanks for the help! Setting to closed!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.