The "Umami Footer promo" block contains a field for users to configure a "find out more" link.

However, this is treated just a regular text field, with no special validation or display handling to make sure it works properly as a link. This leads to a variety of problems:

  1. Security issue: If you configure the block and enter javascript:alert('xss'); for the link text, then anyone clicking on the "Find out more" link will be vulnerable to a cross-site scripting attack. As security issues go, this is relatively low priority since you appear to need "administer blocks" to execute the attack; however, that is not considered a high-level admin permission (see https://www.drupal.org/drupal-security-team/security-advisory-process-an...) so this is still something that would be reported to the Drupal security team if the profile were already included in a point release of Drupal core.
  2. There is no link validation in general, so you can probably get some other messed-up links too (besides the security example above).
  3. The link is completely broken (does not take you to the "about" page as intended) when the site is installed in a subdirectory.

It is probably possible to fix these issues directly, via custom code. However, I think the best way to fix them by far is #2938900: Replace profile-defined blocks with custom blocks to fix a variety of problems (and the patch I posted in that issue should already fix all of them). I created this as a separate issue mainly to track the bug.

Comments

David_Rothstein created an issue. See original summary.

David_Rothstein’s picture

Issue summary: View changes
David_Rothstein’s picture

Issue summary: View changes
markconroy’s picture

Status: Active » Postponed (maintainer needs more info)

if #2938900: Replace profile-defined blocks with custom blocks to fix a variety of problems is committed, this is not an issue any more.

Marking as postponed until we see if the issue above it committed.

larowlan’s picture

Status: Postponed (maintainer needs more info) » Needs review

The blocker is in, if someone can confirm this is resolved and close it.

acbramley’s picture

Status: Needs review » Fixed

Can confirm the block now uses a proper Link field for the Find out more link with the footer_promo_block block bundle so we get all the goodness of Link field functionality. XSS is not possible anymore, and the link works fine when Drupal is installed in a subdirectory.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.