Problem/Motivation

ResponsiveImageStyleListEnhancedBuilder::buildRow() inserts image style labels as HTML without escaping them.
This could allow a user with the "administer responsive images" permission to insert arbitrary JS into the page.

Steps to reproduce

  1. As a user with the "administer responsive images" permission create a new image style named <img src=x onerror=alert()>.
  2. Create a new responsive image style that uses this image style.
  3. Browse to /admin/config/media/responsive-image-style: the JS is executed.

Proposed resolution

The label should be escaped with Html::escape().

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork imagestylelistenhanced-3572433

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

prudloff created an issue. See original summary.

opi made their first commit to this issue’s fork.

opi opened merge request !1

opi’s picture

opi
Primary language French
commented
Status: Active » Needs review

Thanks @prudloff for the report. I've created a MR to address this issue, please add a quick review <3

prudloff’s picture

prudloff commented
Status: Needs review » Needs work

I added a comment on the MR.

opi’s picture

opi
Primary language French
commented
Status: Needs work » Needs review