XSS display but in 6.x-1.2 [#783164]

Better Formats module (http://drupal.org/project/better_formats) contains a cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize format names before display.

Mitigating factors:
-------------------
In order to execute arbitrary script injection malicious users must have 'Administer filters' permission. The Drupal security team has classified vulnerabilities that require this permission (http://drupal.org/node/475848) as "display bugs" because access to this permission allows for alteration of input specifications that could allow users with permissions to create content to craft arbitrary PHP.

The attached patch mitigates this "display bug"

Comment	File	Size	Author
	better_formats-6.x-1.2.patch	859 bytes	Justin_KleinKeane

Comments

Comment #1

dddave commented 28 April 2010 at 16:54

Status:

Active

» Needs review

Comment #2

dragonwize commented 2 May 2010 at 15:26

Status:

Needs review

» Fixed

Committed.

Comment #3

16 May 2010 at 15:30

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

XSS display but in 6.x-1.2

Comments

Comment #1

Comment #2

Comment #3

News items

Our community

Documentation

Drupal code base

Governance of community