Background information
This was originally reported as a private security issue, but has been approved for handling in the public queue by the Drupal Security Team.
Problem/Motivation
block.admin.js passes the value of the data-element attribute to $() without sanitizing it:
const $input = $(once('block-filter-text', 'input.block-filter-text'));
const $table = $($input.attr('data-element'));
This is dangerous because $() accepts either a selector or raw HTML.
Steps to reproduce
This could be exploited if an attacker can insert this payload on /admin/structure/block :
<input class="block-filter-text" data-element="<img src=x onerror=alert()>">
Proposed resolution
Using document.querySelector() would probably be safer.
Remaining tasks
User interface changes
Introduced terminology
API changes
Data model changes
Release notes snippet
Comments