Sanitize block title

grendzy - October 17, 2009 - 20:22
Project:tellafriend
Version:6.x-2.9
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:closed
Issue tags:Security improvements
Description

Steps to reproduce:
-- Navigate to admin/settings/tellafriend
-- add the following to "block title":
alert("block title")
-- Submit the form
-- Enable the "tell a friend" block.

AttachmentSize
tellafriend_xss.patch1.05 KB

#1

thierry_gd - October 27, 2009 - 14:51

What are the effects of applying the function filter_xss_admin ?

#2

grendzy - October 27, 2009 - 15:08

It's designed to filter harmful text that could lead to a cross-site scripting attack: http://api.drupal.org/api/function/filter_xss_admin/6
Also see http://drupal.org/node/28984

#3

thierry_gd - October 27, 2009 - 22:27
Status:needs review» fixed

Fixed in 6.2.10 release

#4

System Message - November 10, 2009 - 22:30
Status:fixed» closed

Automatically closed -- issue fixed for 2 weeks with no activity.

 
 

Drupal is a registered trademark of Dries Buytaert.