Background information

This was originally reported as a private security issue, but has been approved for handling in the public queue by the Drupal Security Team.

Problem/Motivation

If Drupal is in English, the window.drupalTranslations object is not created so it is vulnerable to DOM clobbering.

DOM clobbering a nested object with so many levels requires using iframes.
If an attacker can insert iframes (for example with the ckeditor_iframe module), they could insert this payload:

<iframe name="drupalTranslations" src="/url/of/current/page"></iframe>
<iframe name="strings" src="/url/of/current/page"></iframe>
<a id="foo"></a><a id="foo" name="bar" href="clobbered"></a>

Now drupalTranslations.strings.foo.bar points to the link.
So Drupal.t('bar', [], {context: 'foo'}).toString() now returns http://localhost/drupal/clobbered.
(This only works in Chrome but not in Firefox for some reason.)
This could be used to inject dangerous markup in the page. But it can only target translated strings that have a context.

Steps to reproduce

For example if you have a module that does this:

  $element.append(
    `<abbr title="${Drupal.t('Changed', [], { context: 'mymodule' })}">*</abbr>`,
  );

It is usually safe because the output of Drupal.t() can be trusted.

If an attacker can insert this HTML:

<iframe name="drupalTranslations" src="/drupal/web/"></iframe>
<iframe name="strings" src="/drupal/web/"></iframe>
<a id="mymodule"></a><a id="mymodule" name="Changed" href="http://&quot;&gt;&lt;img src=x onerror=alert()&gt;"></a>

Now Drupal.t() returns an XSS payload and the dangerous JS is executed.

Proposed resolution

I think the solution would be to always create window.drupalTranslations.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Issue fork drupal-3607796

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

prudloff created an issue.