Drupal.org
Issues

XSS in theming snippets?

Posted by fago on March 28, 2007 at 7:50pm
Project:Documentation
Component:Correction/Clarification
Category:bug report
Priority:critical
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

http://drupal.org/node/35730

ok, it's hard to check all, but isn't there a XSS even in the basic "getting started" example?

Login or register to post comments

Comments

#1

Posted by ssemaganda on August 31, 2008 at 2:08pm
Component:Customization and Theming Guide» Correction/Clarification

#2

Posted by dereine on January 4, 2009 at 6:41pm
Status:active» needs review

drupal5 does nearly the same

<?php
$output .= '<dt class="'. $item['class'] .'">'. $item['title'] .'</dt>';
?>

This items get there by hook_user $op = 'view'
-> the modules should provide the safety stuff

for example the profile module
http://api.drupal.org/api/function/profile_view_field/6

so there should be no xss problem or not?

#3

Posted by arianek on December 31, 2009 at 6:12am
Status:needs review» fixed

this has since been fixed (according to smrt people in #drupal)

see: http://drupal.org/node/35730/revisions/view/346769/680458
"the check_plain() part fixes it"

#4

Posted by System Message on January 14, 2010 at 6:20am
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

nobody click here