Hi
So when I posted text looking like

<script>
document.write('opsa');
</script>

It shows 

opsa

So I added $body=htmlspecialchars($body);
And now it shows

<script>
document.write('opsa');
</script>

My bbcode-filter.inc header

<?php
// $Id: bbcode-filter.inc,v 1.6.4.1 2006/02/03 23:44:28 naudefj Exp $

function _bbcode_filter_process(&$body, $format = -1) {

$body=htmlspecialchars($body);

Thanks for attention ;)

Comments

naudefj’s picture

naudefj commented
Assigned: Unassigned » naudefj
Status: Needs review » Fixed

Unfortunately your patch will break the email encoding feature. Nevertheless, we've fixed the problem in CVS. Please download and use the latest release.

If you spot any other security vulnerabilities, please do let us know.

beginner’s picture

beginner commented
Status: Fixed » Active

This is a security issue. bbcode.module users probably won't know about this important fix and use the module they've downloaded before.
Have you contacted the security team so that they can send an advisory to the security newsletter?
Thus, the users will be alerted to upgrade their module.

beginner’s picture

beginner commented
Title: XSS html injecition ? » XSS html injection
naudefj’s picture

naudefj commented
Status: Active » Fixed

This problem was fixed and a notification posted on the BBCode project page. It would be great if you can notify the security team so thay can post a notification.

beginner’s picture

beginner commented
Status: Fixed » Active

the problem is that the people who already have the module installed have no reason to come back and look at the module homepage.
I saw the annoucement only because I do not use this module yet.

naudefj’s picture

naudefj commented
Priority: Critical » Normal
Status: Active » Closed (fixed)

Good point - please do notify them ASAP.

beginner’s picture

beginner commented
Title: XSS html injection » XSS html injection: users need to be alerted of critical update!!!
Priority: Normal » Critical
Status: Closed (fixed) » Active

I just received the Drupal security alert about the form module, and it reminded me of this issue: the old users have not be alerted yet!!!

rereading this thread, I notice you are expecting ME to take action: I don't even use the module! Who is the maintainer???

You better leave this issue open until you find time to alert the drupal security team.

(and since when is a xss injection issue anything less than critical???)

naudefj’s picture

naudefj commented
Priority: Critical » Normal
Status: Active » Closed (fixed)

This wasn't nearly as critical as you make it out to be. This is now old news anyway. However, if you feel so strongly about it, roll up your sleeves and do something about it yourself.

beginner’s picture

beginner commented
Priority: Normal » Critical
Status: Closed (fixed) » Active

I don't know how a rss injection bug is not critical.
Old news? So you can testify that every body who has downloaded your module has upgraded, already?
I am 'rolling up my sleeves' for many things, thank you.
This is just not my job.

naudefj’s picture

naudefj commented
Status: Active » Closed (fixed)
beginner’s picture

beginner commented
Status: Closed (fixed) » Active
naudefj’s picture

naudefj commented
Assigned: naudefj » Unassigned
Category: bug » support
Priority: Critical » Minor
Status: Active » Closed (won't fix)

Nobody gets paid to maintain this module and it isn't anybody's duty to to report security problems. If you need it done, you will have to do it yourself or get someone else to do it for you - that person will not be me!

Issue closed.