The default formatter, the one labelled "Default", does not sanitize data before it's displayed. This is a security vulnerability. However, as per the Security advisories process and permissions policy, it is not necessary to issue a security advisory (SA) because this vulnerability does not affect a stable release. After reporting this to the security team, I was directed to fix this publicly without an SA.

There are actually two things that are broken here:

  • Any formatter that produces unsanitized data should not be the default.
  • The name and/or description of this formatter does not make it clear that it produces unsanitized data.

Comments

colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
commented
Status: Active » Fixed
Issue tags: +D7 stable release blocker

I've fixed things such that:

  • The default formatter is now "Plain text".
  • The "Default" formatter has been renamed to "Unsanitized".

Committed in 590366f.

colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
commented
Version: 7.x-1.x-dev » 6.x-1.x-dev
Assigned: colan » Unassigned
Status: Fixed » Active
Issue tags: +D6 stable release blocker

Actually, verification is needed to determine if this is required for the D6 version as well.

jedmead’s picture

jedmead commented

I just upgraded to Drupal 7.12 and now several of my views are broken with the "Unsanitized" formatter. I am using the "rewrite the output of this field" option with the following pseudo HTML:

<a href="[path]">[field__title]</a><br/>
[field_synopsis]

It was previously producing formatted HTML and now it is generating plain text.

I don't know if this is a 7.12 issue or a Computed Field issue specifically. I recently upgraded to Computed Field 7.x-1.0-beta1

What is the solution/workaround that I need?

jedmead’s picture

jedmead commented

After further probing, I have restored my installation back to "Computed Field 7.x-1.x-dev (2012-Jan-27)" from "7.x-1.0-beta", and the Views functionality described above works as expected (i.e. generating HTML output rather than plain text). This is just a short term solution to keep our website operating as needed, so I am hoping for a solution for "7.x-1.0-beta"

colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
commented

@jedmead: The machine name changed from "computed_field_default" to "computed_field_unsanitized". So you'll probably have to do the following:

  1. Export the view as code.
  2. Search and replace "computed_field_default" with "computed_field_unsanitized".
  3. Reimport the view.

Hopefully that will work for you.

jedmead’s picture

jedmead commented

@colan: Thank you very much for the tip - it worked like a charm and my views are now operational with Computed Field 7.x-1.0-beta. We are also using Computed Field in one of our content types, and solved that issue by changing the Display Format for each field to "Unsanitized". Thanks for your help once again. Best regards.

klavs’s picture

klavs commented

I have the exact same problem as #3 with with computed_field 1.0-beta1. I can set the formatter to unsanitized on the field - and if I export the view - it says it uses computed_field_unsanitized - so the fix described in #5 no longer seems to be valid :(

Any ideas as how I can get unsanitized, to actually be unsanitized?

My html btw. is:

[field_completedpercent-value]%

It's a jquery progressbar I want on each item in the view :)

It's late and I'm tired - I just realized I was hijacking an issue here. Creating my own for 7.x. http://drupal.org/node/1560014

  • colan committed 590366f on 8.x-1.x 
    Issue #1426372 by colan: Made a sanitized formatter the default.

  • colan committed 590366f on 8.x-2.x 
    Issue #1426372 by colan: Made a sanitized formatter the default.
ram4nd’s picture

ram4nd commented
Issue summary: View changes
Issue tags: -D7 stable release blocker, -D6 stable release blocker
dqd’s picture

dqd
Location London | N.Y.C | Paris | Hamburg | Berlin
commented
Status: Active » Closed (outdated)

Due to the Drupal core life cycle policy and security support advisery, Drupal 6 is no longer supported. So issues for Drupal 6 cannot be longer maintained. The project maintainer has asked for closing all D6 issues to clean up the issue queue. Feel free to reopen the issue if required or set it to "needs to be ported" and latest D8 dev version, if the issue discusses a still missing feature which can be implemented in the D8 version.