The summary of my problem is I am using an input filter that has HTML Filter on it. I want to be able to embed flash, so I made sure that

are on my list of accepted markup. The problem came in when I started using flashvars. Flashvars are a url encoded list of variables in the format: key1=value1&key2=value2 Well some of my flash vars are URLs; however, filter_xss calls _filter_xss_split on each tag which calls _filter_xss_attributes. _filter_xss_attributes sends the value of EVERY parameter through filter_xss_bad_protocol, and filter_xss_bad_protocol starts butchering thing if the string has a colon (:) in it. Is it possible that _filter_xss_attributes can be a little more forgiving and only call filter_xss_bad_protocol on applicable properties (like src and href), or maybe filter_xss_bad_protocol can be more forgiving in checking if it starts with javascript (or other protocol) and if the value is formatted like a url. I'm not sure what the best answer is, but I think not every property has the same potential for xss attacks.

Comments

dddave’s picture

dddave CreditAttribution: dddave commented
Title: filter_xss to retrictive » filter_xss to restrictive
Status: Active » Closed (won't fix)

Really 6.9?

The usage of flashvars is pretty common: http://drupal.org/search/apachesolr_search/using%20flashvars?filters=typ...

However for D6 there won't be any fiddling on the filter system, especially not when it concerns security.

timtrinidad’s picture

timtrinidad CreditAttribution: timtrinidad commented
Title: filter_xss to restrictive » _filter_xss_attributes should ignore attribute values for "value" and "flashvars"
Version: 6.9 » 8.x-dev
Category: feature » bug
Status: Closed (won't fix) » Active

(I reference functions in D6 below, but the behavior still seems to apply to 8.x).

It looks like this is still currently an issue that needs to be considered. The way filter_xss currently stands, if a site allows certain embed codes, no Drupal site that uses filter_xss on the user input will be able to use jwplayer (or similar flv players) to reference external files.

One example we've run into is users embedding their player and referencing a video on another one of their servers, e.g.:

<embed type="application/x-shockwave-flash" src="http://d1.example.com/player.swf" flashvars="file=http://d2.example.com/video.avi" />

_filter_xss_attributes and filter_xss_bad_protocol would match against the protocol "file=http:" and remove it.

Is there any harm in ignoring filter_xss_bad_protocol for the "value" and "flashvars" attributes? Is an XSS attack even possible with those attributes?

As a side question, is XSS possible with attributes besides "src", "href", and "on..."?

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented
Component: filter.module » base system
Heine’s picture

Heine CreditAttribution: Heine commented

timtrinidad, yes other attributes (eg formaction, background) also need their attribute value filtered for dangerous schemes.

Hanno’s picture

Hanno CreditAttribution: Hanno commented

Related, but focusing on the attribute itself and not the value is this issue: #1328768: attributes 'xml:lang' and 'xml:id' transform to 'lang' and 'id' in filter_xss

DeeLay’s picture

DeeLay CreditAttribution: DeeLay commented

Further to this issue, it will break embedded flash video for IE

Consider the following embed code:

<object id="flashObj" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,47,0" height="390" width="595">
<param name="movie" value="http://c.brightcove.com/services/viewer/federated_f9?isVid=1"><param name="bgcolor" value="#FFFFFF">
<param name="flashVars" value="@videoPlayer=1263453612001&amp;playerID=1180743010001&amp;playerKey=AQ~~,AAABDH-R__E~,dB4S9tmhdOrgQJ-vz7N_KM-Fn5lQ8FIH&amp;domain=embed&amp;dynamicStreaming=true">
<param name="base" value="http://admin.brightcove.com">
<param name="seamlesstabbing" value="false">
<param name="allowFullScreen" value="true">
<param name="swLiveConnect" value="true">
<param name="allowScriptAccess" value="always"> 
<embed type="application/x-shockwave-flash" src="http://c.brightcove.com/services/viewer/federated_f9?isVid=1" bgcolor="#FFFFFF" flashvars="@videoPlayer=1263453612001&amp;playerID=1180743010001&amp;playerKey=AQ~~,AAABDH-R__E~,dB4S9tmhdOrgQJ-vz7N_KM-Fn5lQ8FIH&amp;domain=embed&amp;dynamicStreaming=true" base="http://admin.brightcove.com" name="flashObj" seamlesstabbing="false" allowfullscreen="true" swliveconnect="true" allowscriptaccess="always" pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash" height="390" width="595">
</object>

If you have that on a content type that runs through the HTML filter, the call to _filter_xss_attributes will turn the object attributes:

id="flashObj" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#vers..." height="390" width="595"

into:

id="flashObj" classid="D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#vers..." height="390" width="595"

which will obviously break the video on any browser that use the object tag instead of the embed tag.

In terms of solutions:
1. Hack core (think of the kittens)
2. Disable HTML filter (not recommended)
3. Add clsid to filter_allowed_protocols variable (not ideal)
4. Use something like inline API to have a tag in the content that gets swapped out (Involves a bit of work)

iStryker’s picture

iStryker CreditAttribution: iStryker commented

values is mark as a Safe HTML attribute by https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Preventio... Rule #7. I think this should be whitelisted. I'm working on a whitelist for Drupal 8 here #952964: String stripped from title and alt attribute if contains a colon

For the other attributes, I believe you will need to create a custom module that for D8, extends the class.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner as a volunteer commented
Issue summary: View changes

I don't see much of an usecase in supporting flash anymore. It seems like a really dead and proprietary technology stack anyway.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch at Third and Grove commented
Status: Active » Closed (duplicate)

Marking duplicate of #2544110: XSS attribute filtering is inconsistent and strips valid attributes (also see related issues).