In modules/abuse/abuse-report.tpl.php
Need replace strigs:
- print l($object->title, $object->path['URL'], array('html' => TRUE, 'query' => $object->path['QUERY'], 'fragment' => $object->path['BREADCRUMB']));
+ print l(filter_xss_admin($object->title), $object->path['URL'], array('html' => TRUE, 'query' => $object->path['QUERY'], 'fragment' => $object->path['BREADCRUMB']));

-

print $object->description;

+

print filter_xss_admin($object->description);

Comments

MAMONT’s picture

Small correction.
print l(check_plain($object->title), $object->path['URL'], array('html' => TRUE, 'query' => $object->path['QUERY'], 'fragment' => $object->path['BREADCRUMB']));

In H2 don't use filter_xss_admin, please use check_plain.

MAMONT’s picture

StatusFileSize
new3.77 KB
new14.11 KB

Steps to reproduce.
1. Create a new node with

alert('xss1');

in title and

alert('xss2');

in body.
2. Click to 'Flag as offensive'.
3. Go to admin/content/abuse.

jcisio’s picture

It's easier to remove 'html' => TRUE, isn't it?

MAMONT’s picture

dave reid’s picture

Issue tags: +Security improvements

tagging

greggles’s picture

Subscribe.

I agree with jcisio in #3 on that one particular section of code it is clearer to simply remove the html => true.

jcisio’s picture

Status: Active » Fixed

I committed in both 1.x and 2.x branch. A new official release for 1.x branch has been out. I'm quite busy and don't have time for other fixes in this release.

Automatically closed -- issue fixed for 2 weeks with no activity.