perform some text filtering on plugin titles

I believe both of these come from hard-coded places, so if they are xss then the exploit vector includes the ability to write plugin code which means...you are already in trouble

That said, there's no reason I could find to simply include plugin titles without some form of filtering just in case. These should be plain text rendered to a browser as plain text.

Comment	File	Size	Author
#1	1361936_some_filtering.patch	1.16 KB	greggles

Comments

Comment #1

he/him

English

Denver, Colorado, USA

commented 5 December 2011 at 22:15

Status:

Active

» Needs review

Status	File	Size
new	1361936_some_filtering.patch	1.16 KB

Log in or register to post comments

Comment #2

e2thex commented 4 January 2012 at 17:53

Status:

Needs review

» Fixed

Applied here
http://drupalcode.org/project/boxes.git/commit/aaec34a

d7 version
http://drupalcode.org/project/boxes.git/commit/c25b38e

Thanks for the catch.

There are modules (like entity_boxes), that programaticly define box types, so this could be an issue.

Log in or register to post comments

Comment #3

he/him

English

Denver, Colorado, USA

commented 4 January 2012 at 18:23

Good to know - luckily the lack of a release on http://drupal.org/project/entity_boxes means it doesn't need an SA.

Thanks, e2thex!

Log in or register to post comments

Comment #4

18 January 2012 at 18:30

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Log in or register to post comments