Posted by grendzy on October 17, 2009 at 8:22pm
Jump to:
| Project: | tellafriend |
| Version: | 6.x-2.9 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
| Issue tags: | Security improvements |
Issue Summary
Steps to reproduce:
-- Navigate to admin/settings/tellafriend
-- add the following to "block title":
alert("block title")
-- Submit the form
-- Enable the "tell a friend" block.
| Attachment | Size |
|---|---|
| tellafriend_xss.patch | 1.05 KB |
Comments
#1
What are the effects of applying the function filter_xss_admin ?
#2
It's designed to filter harmful text that could lead to a cross-site scripting attack: http://api.drupal.org/api/function/filter_xss_admin/6
Also see http://drupal.org/node/28984
#3
Fixed in 6.2.10 release
#4
Automatically closed -- issue fixed for 2 weeks with no activity.