XSS on node edit form [#268706]

This bug was fixed by a previous D6 SA and never exited in D5, but has not yet been fixed in HEAD. To reproduce:

1. Create a node whose title is "

alert('xss')

" (use actual < and > chars, not the HTML entities).
2. Save the node.
3. Click Edit. Observe the JS popup.

The culprit:

function node_page_edit($node) {
  drupal_set_title($node->title);
  return drupal_get_form($node->type .'_node_form', $node);
}

Contrast with D6's, which calls check_plain($node->title).

Patch attached. We need a test case for this; I haven't written one yet.

Comment	File	Size	Author
#9	node-title-xss-268706-7.patch	2.77 KB	lilou
#6	node-title-xss-268706-6.patch	2.49 KB	floretan
#1	node-title-xss_1.patch	656 bytes	lilou
	node-title-xss.patch	2.94 KB	bjaspan

Comments

Comment #1

lilou commented 10 June 2008 at 02:14

Status	File	Size
new	node-title-xss_1.patch	656 bytes

Delete modules/node/node.install diff ;-)

Comment #2

pwolanin commented 10 June 2008 at 02:15

can we mark as duplicate to: http://drupal.org/node/242873 ?

Comment #3

dww

we/he/they

commented 10 June 2008 at 06:29

Status:

Needs review

» Closed (duplicate)

Yes. ;) #242873: make drupal_set_title() use check_plain() by default. is the better solution to this problem.

Comment #4

bjaspan commented 10 June 2008 at 13:16

Status:

Closed (duplicate)

» Needs review

#1: Ooops, sorry about those node.install changes. That's a glimpse into the automated XSS detection approach I was toying with that revealed this bug.

#2: We can mark this a duplicate of #242873 if and only if that issue gets changed from "feature request, normal priority" to "bug report, critical priority" because this issue is an XSS security vulnerability. It is simpler just to fix this bug now by adding in the check_plain(), matching the current API, and then removing it in the patch for #242873 if/when that patch gets committed.