Unsanitized help text
| Project: | Email Field |
| Version: | 6.x-1.1 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
The Email Field module contains a cross site scripting vulenrability due to the fact that it fails to sanitize help text entered by users during content type configuration. The following patch should mitigate this vulnerability.
--- email/email.module 2008-08-12 04:12:02.000000000 -0400
+++ email_fixed/email.module 2009-06-08 15:03:40.000000000 -0400
@@ -221,7 +221,7 @@ function email_textfield_process($elemen
$element[$field_key] = array(
'#type' => 'textfield',
'#title' => t($field['widget']['label']),
- '#description' => t($field['widget']['description']),
+ '#description' => check_plain(t($field['widget']['description'])),
'#required' => $element['#required'],
'#maxlength' => 255,
'#size' => !empty($field['widget']['size']) ? $field['widget']['size'] : 60,
#1
#2
see this ancounment http://drupal.org/node/372836 about administer content type permissions
#3
the description for the help text cleary says:
Allowed HTML tags: <a> <b> <big> <code> <del> <em> <i> <ins> <pre> <q> <small> <span> <strong> <sub> <sup> <tt> <ol> <ul> <li> <p> <br> <img>
if we add a check_plain, we break the support for html elements. We rather have to use _content_filter_xss_allowed_tags
#4
You're correct about the help text for sure. Are you referring to the filter_xss() function (http://api.drupal.org/api/function/filter_xss) as a fix for this bug? The _field_filter_xss_allowed_tags (http://api.drupal.org/api/function/_field_filter_xss_allowed_tags/7) is only available for Drupal 7, no? Thanks for any clarification and understanding of my ignorance, I'm a security researcher not a Drupal programmer.
#5
I've implemented the filter_xss() function in this version of the patch, would this be your recommendation? Thanks,
#6
For "admin" texts it is common to use http://api.drupal.org/api/function/filter_xss_admin but that allows through a lot of tags which might be a bad idea.
Also slightly better status.
Thanks for the patches, Justin!
#7
The CCK module contains a function (content_filter_xss) similar to filter_xss_admin, allowing all listed html elements from the description and filtering everything else
/**
* Like filter_xss_admin(), but with a shorter list of allowed tags.
*
* Used for items entered by administrators, like field descriptions,
* allowed values, where some (mainly inline) mark-up may be desired
* (so check_plain() is not acceptable).
*/
function content_filter_xss($string) {
return filter_xss($string, _content_filter_xss_allowed_tags());
}
/**
* List of tags allowed by content_filter_xss().
*/
function _content_filter_xss_allowed_tags() {
return array('a', 'b', 'big', 'code', 'del', 'em', 'i', 'ins', 'pre', 'q', 'small', 'span', 'strong', 'sub', 'sup', 'tt', 'ol', 'ul', 'li', 'p', 'br', 'img');
}
I think we should use this one :)
#8
Hi!
Fix committed (with content_filter_xss, see diff).
Thanks for this report!
#9
Automatically closed -- issue fixed for 2 weeks with no activity.