This module allows an administrator to add code directly to a page with no filtering. That may be a path for an XSS attack. Fortunately, the module defines a new permission. Unfortunately the title of that permission is not clear enough in warning the admin that it is an "important" permission.

I suggest adding text (in a lot of places) that makes this more clear - project page, readme.txt, and in the permission name itself ("grant with care" or similar).

Comments

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Priority: Normal » Critical

Bumping to critical. I (in coordination and as part of the security team) need a response here or will need to take action directly.

jochen wendebaum’s picture

jochen wendebaum commented

I just added some more intense and extensive information about the security concerns to the module description, also pointing out the other modules which should be used instead.

To the sec-team: if you think this module goes too far, please feel absoutly free to delete it. I wrote this module for my own use some time ago and wanted to share it, but I understand completly that it might introduce some security risks if used in a wrong way.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

Thanks for your help.

It would be great to have some text in the module itself - either in the permission name or the README or both.

sylvain lecoy’s picture

sylvain lecoy commented
Status: Active » Closed (won't fix)