Background information

This was originally reported as a private security issue, but has been approved for handling in the public queue by the Drupal Security Team.

Problem/Motivation

block.admin.js passes the value of the data-element attribute to $() without sanitizing it:

      const $input = $(once('block-filter-text', 'input.block-filter-text'));
      const $table = $($input.attr('data-element'));

This is dangerous because $() accepts either a selector or raw HTML.

Steps to reproduce

This could be exploited if an attacker can insert this payload on /admin/structure/block :

<input class="block-filter-text" data-element="&lt;img src=x onerror=alert()&gt;">

Proposed resolution

Using document.querySelector() would probably be safer.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Issue fork drupal-3607797

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

prudloff created an issue.