Problem/Motivation

ResponsiveImageStyleListEnhancedBuilder::buildRow() inserts image style labels as HTML without escaping them.
This could allow a user with the "administer responsive images" permission to insert arbitrary JS into the page.

Steps to reproduce

  1. As a user with the "administer responsive images" permission create a new image style named <img src=x onerror=alert()>.
  2. Create a new responsive image style that uses this image style.
  3. Browse to /admin/config/media/responsive-image-style: the JS is executed.

Proposed resolution

The label should be escaped with Html::escape().

Remaining tasks

User interface changes

API changes

Data model changes

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

prudloff created an issue. See original summary.

opi made their first commit to this issue’s fork.

opi’s picture

Status: Active » Needs review

Thanks @prudloff for the report. I've created a MR to address this issue, please add a quick review <3

prudloff’s picture

Status: Needs review » Needs work

I added a comment on the MR.

opi’s picture

Status: Needs work » Needs review