The Email Field module contains a cross site scripting vulenrability due to the fact that it fails to sanitize help text entered by users during content type configuration. The following patch should mitigate this vulnerability.

--- email/email.module 2008-08-12 04:12:02.000000000 -0400
+++ email_fixed/email.module 2009-06-08 15:03:40.000000000 -0400
@@ -221,7 +221,7 @@ function email_textfield_process($elemen
$element[$field_key] = array(
'#type' => 'textfield',
'#title' => t($field['widget']['label']),
- '#description' => t($field['widget']['description']),
+ '#description' => check_plain(t($field['widget']['description'])),
'#required' => $element['#required'],
'#maxlength' => 255,
'#size' => !empty($field['widget']['size']) ? $field['widget']['size'] : 60,

CommentFileSizeAuthor
#5 email_field_6.x-1.1.patch723 bytesJustin_KleinKeane
#1 email_field_6.x-1.1.patch577 bytesJustin_KleinKeane

Comments

Justin_KleinKeane’s picture

Justin_KleinKeane commented
StatusFileSize
new email_field_6.x-1.1.patch577 bytes
mh86’s picture

mh86 commented

see this ancounment http://drupal.org/node/372836 about administer content type permissions

mh86’s picture

mh86 commented
Title: Email Field Cross Site Scripting XSS Vulnerability » Unsanitized help text

the description for the help text cleary says:
Allowed HTML tags: <a> <b> <big> <code> <del> <em> <i> <ins> <pre> <q> <small> <span> <strong> <sub> <sup> <tt> <ol> <ul> <li> <p> <br> <img>

if we add a check_plain, we break the support for html elements. We rather have to use _content_filter_xss_allowed_tags

Justin_KleinKeane’s picture

Justin_KleinKeane commented

You're correct about the help text for sure. Are you referring to the filter_xss() function (http://api.drupal.org/api/function/filter_xss) as a fix for this bug? The _field_filter_xss_allowed_tags (http://api.drupal.org/api/function/_field_filter_xss_allowed_tags/7) is only available for Drupal 7, no? Thanks for any clarification and understanding of my ignorance, I'm a security researcher not a Drupal programmer.

Justin_KleinKeane’s picture

Justin_KleinKeane commented
StatusFileSize
new email_field_6.x-1.1.patch723 bytes

I've implemented the filter_xss() function in this version of the patch, would this be your recommendation? Thanks,

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Status: Active » Needs review

For "admin" texts it is common to use http://api.drupal.org/api/function/filter_xss_admin but that allows through a lot of tags which might be a bad idea.

Also slightly better status.

Thanks for the patches, Justin!

mh86’s picture

mh86 commented

The CCK module contains a function (content_filter_xss) similar to filter_xss_admin, allowing all listed html elements from the description and filtering everything else

/**
 * Like filter_xss_admin(), but with a shorter list of allowed tags.
 *
 * Used for items entered by administrators, like field descriptions,
 * allowed values, where some (mainly inline) mark-up may be desired
 * (so check_plain() is not acceptable).
 */
function content_filter_xss($string) {
  return filter_xss($string, _content_filter_xss_allowed_tags());
}

/**
 * List of tags allowed by content_filter_xss().
 */
function _content_filter_xss_allowed_tags() {
  return array('a', 'b', 'big',  'code', 'del', 'em', 'i', 'ins',  'pre', 'q', 'small', 'span', 'strong', 'sub', 'sup', 'tt', 'ol', 'ul', 'li', 'p', 'br', 'img');
}

I think we should use this one :)

mh86’s picture

mh86 commented
Status: Needs review » Fixed

Hi!

Fix committed (with content_filter_xss, see diff).

Thanks for this report!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.