Security issue because of unescaped field labels

This is only possible if someone has permission to change field names, which requires the "administer field" permission. That permission is considered a special permission that should only be given to trusted users, so this isn't a security problem in the traditional sense.

I am a bit confused here ... there are other instances where the field labels are used directly as well.

Version change only.

Rerolled.

I'm still tempted to close this as "won't fix" because admin labels of entity types and fields are generally considered admin-only, so if an admin is adding some XSS to your field labels maybe you have other problems?

This was released as backdrop security fix in https://backdropcms.org/security/backdrop-sa-core-2024-001

Raising priority to critical as this is a small XSS vulnerability, but fortunately can only be exploited by trusted admins as Damien said.

Setting to "needs work" as I think we should do the same fix as Backdrop.

Ported patch from backdrop.

Thanks for the patch Klausi!

Thank you all for working on the fix and reviewing it.

Thanks everyone

Was reported years ago but If confirmed that that still happening today and it's really a security issue, since our stable releases are covered by the security advisory policy we must follow this instruction, right?!

Or if isn't considered a security issue, I'd suggest updating the issue title :)

It is a security issue, but it falls outside of the security advisory policy of the Drupal Security team. The vulnerability can only be exploited if the attacker has an elevated permission "administer fields". Therefore we can fix this in public (not sure why Backdrop issued an advisory).

Clarified that in the issue summary

Thanks Klausi.

Put another way - this is a minor security hardening issue for some rare scenarios, rather than a something a non-admin would be able to exploit.

Oh hm, @jenlampton replied in Slack that the Backdrop fix is not necessary for Drupal 7 because Views UI has an extra XSS filter that Backdrop does not have anymore. She is right, I tried to exploit this but could not get XSS to trigger when adding a field in the Views UI.

Is there any other place where these field labels are displayed?

Very sorry for the noise here, I should have tested my assumptions fully before escalating here. Downgrading the priority again and setting this back to active.

For the Views module in Drupal 7 I think we should not remove the extra XSS filter in Views UI, even if there could be some double escaping then. Keeping the potential double escaping is the secure choice at this point in the late D7 cycle.

Let me know if you see the XSS trigger and where exactly!