Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.The javascript settings get included into the page without any filtering. This allows someone with permission to configure the module to inject malicious code, i.e. a cross-site-scripting attack.
I can think of 3 possible solutions:
1. filter the admin-added values to ensure they don't include malicious code
2. change the hook_permission to make 'restrict access' => TRUE for the administration permission
3. both?
I think solution #1 is the best.
This issue can be in the public queue instead of a private security.drupal.org issue because the Quantcast module doesn't have a stable release (see the policy https://www.drupal.org/security-advisory-policy on which releases get advisories).
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | quantcast-n2462487-2.patch | 575 bytes | DamienMcKenna |
Comments
Comment #1
coltraneEntering this as the "Quantcast P-Code" will demonstrate the XSS issue:
Patch uses check_plain() to mitigate.
Comment #2
DamienMcKennaThe code has changed a good bit, so here's a reroll.
Comment #3
DamienMcKennaBTW the patch also removes a redundant variable_get() from quantcast_page_build().
Comment #4
gregglesAny feedback from the maintainers about this issue?
Comment #6
gregglesNow fixed. Thanks for the reroll, DamienMcKenna!