The "Umami Footer promo" block contains a field for users to configure a "find out more" link.
However, this is treated just a regular text field, with no special validation or display handling to make sure it works properly as a link. This leads to a variety of problems:
- Security issue: If you configure the block and enter
javascript:alert('xss');
for the link text, then anyone clicking on the "Find out more" link will be vulnerable to a cross-site scripting attack. As security issues go, this is relatively low priority since you appear to need "administer blocks" to execute the attack; however, that is not considered a high-level admin permission (see https://www.drupal.org/drupal-security-team/security-advisory-process-an...) so this is still something that would be reported to the Drupal security team if the profile were already included in a point release of Drupal core. - There is no link validation in general, so you can probably get some other messed-up links too (besides the security example above).
- The link is completely broken (does not take you to the "about" page as intended) when the site is installed in a subdirectory.
It is probably possible to fix these issues directly, via custom code. However, I think the best way to fix them by far is #2938900: Replace profile-defined blocks with custom blocks to fix a variety of problems (and the patch I posted in that issue should already fix all of them). I created this as a separate issue mainly to track the bug.
Comments
Comment #2
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedComment #3
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedComment #4
markconroy CreditAttribution: markconroy as a volunteer and at Annertech commentedif #2938900: Replace profile-defined blocks with custom blocks to fix a variety of problems is committed, this is not an issue any more.
Marking as postponed until we see if the issue above it committed.
Comment #5
larowlanThe blocker is in, if someone can confirm this is resolved and close it.
Comment #6
acbramley CreditAttribution: acbramley at PreviousNext for Transport for NSW commentedCan confirm the block now uses a proper Link field for the Find out more link with the footer_promo_block block bundle so we get all the goodness of Link field functionality. XSS is not possible anymore, and the link works fine when Drupal is installed in a subdirectory.