Overlay doesn't escape any page titles (residual cleanup)

This is a bit of a strange one!

Since D7, titles are escaped automatically in drupal_set_title(). And so, if you print out $variables['head_title'] from overlay_preprocess_html() (see above) you will see it is indeed already escaped.

So what's happening?

Well it looks like it is un-escaping itself again!

I've not quite got my head around this, but I guess what is happening is this line...

var iframeTitle = self.$iframeDocument.attr('title');

at line 430 of overlay-parent.js is grabbing the rendered title (i.e. the head title) instead of the raw HTML for the title. And of course the escaped but rendered HTML looks like the original UNescaped HTML.

Using check_plain() on this line - $variables['head_title'] = drupal_get_title(); would correct the issue, but that would essentially double escape the title before unescaping once. It would be good to avoid such a dance!

In a normalized DOM document (ie upon load), the value and nodevalue attributes of AttributeNodes (Attr) are the normalized values returned by the parser. So "&lt;foo" will be normalized to "<foo".

The remedy is simple; Use Drupal.checkPlain on the value before reinserting as a string.

Using Drupal.checkPlain will be buggy in some situations where we want some HTML to be rendered. One such example is the node edit page which puts em tags around the content type (e.g. <em>Edit Article</em> Example node title). Once normalized we have no way of knowing what should be rendered and what should be escaped because <foo gets parsed as <foo and <foo ALSO gets parsed as <foo.

Escaping twice by doing $variables['head_title'] = check_plain(drupal_get_title()); solves that problem in a pretty ugly way. But I don't understand the JS well enough to know if there is a cleaner way of getting the title.

The js code is getting the title from 'title' attribute of the iframe document, which is returning the unescaped string.

Instead, it should get the content of the <html> element.

The attached patch changes to this, and apparently fixes the issue.

Unfortunately that also normalizes the output. However, it does the opposite of using attr; i.e. both <foo and <foo is retrieved as <foo. So we end up with the same problem as if we used Drupal.checkPlain. (Again, edit a node in the overlay for an example of the problem.)

Would it make sense to put the title as a JS setting?

"Would it make sense to put the title as a JS setting?"

I think so. I've started doing that this way, but didn't get the chance to finish this yet. I should get a working patch this week, or during the weekend.

Are we considering adding a JS setting like in my first attached patch? All that just to avoid double-escaping to get around the browser "feature" of unescaping attribute values? I much prefer the second attached patch. The second patch introduces a little 'wtf?', while the first patch introduces a big 'WTFH?!' in my opinion. I strongly favor the second patch.

Sounds good. However, you can't do the escaping on the JS side with checkPlain, you need to do it on the PHP side (see #4 above).

Sounds sane to me. Using a var actually makes sense, instead of hijjacking the title with jquery. It should also provide a tiny speed increase, since it's 1 DOM manip less. Yay!

The patch seems to work as expected.

However, we still need to keep the old behavior around as a fallback in case the JS setting isn't there, and in that case we need to run it through checkPlain().

David, I'm not sure I understand. Why wouldn't the JS setting be always there?

This patch is touching essential Overlay functionality and I don't see ksenzee anywhere in this issue.

+++ modules/overlay/overlay-parent.js	3 Apr 2010 16:55:29 -0000
@@ -448,13 +448,20 @@ Drupal.overlay.bindChild = function (ifr
+  var childTitle = Drupal.settings.overlay.childTitle || Drupal.checkPlain(self.$iframeDocument.attr('title'));
...
+  self.$iframe.attr('title', Drupal.t('@title dialog', { '@title': childTitle }));

The @-placeholder already invokes Drupal.checkPlain().

113 critical left. Go review some!

+++ modules/overlay/overlay.module	3 Apr 2010 16:55:30 -0000
@@ -265,8 +265,6 @@ function overlay_preprocess_html(&$varia
-    // Do not include site name or slogan in the overlay title.
-    $variables['head_title'] = drupal_get_title();

This means that when no title is passed via JS, the title will contain a slogan.

Powered by Dreditor.

To give some perspective, I think we originally intended to use unescaped / stripped tag values of the page title, so we used the document title but intended to not include the slogan/etc, so we did override the value in the template. However, critical escaping is indeed missing from the original code. The overriden head_title does have the page title strip-tagged, the site name check_plained and the slogan filter_xss_admin-d. I believe our original intention was to only get the page title without slogan and site name but omitted the string tagging for some reason. There have been some shuffling around in this area of escaping these items, but that does not make it less of an XSS issue.

See also #655742: HTML HEAD title cannot be safely output differently -- a super-simple patch that allows to retrieve individual parts of 'head_title' and remix them without performance or security penalties.

The JS setting approach seems fine to me. I wouldn't worry about #19 until we actually start putting authorize.php in the overlay. We can fix details then. I do think David's fallback code is a good idea though, so we don't code ourselves into a corner. So IMO all we need now is a fix for #18.

+++ modules/overlay/overlay-parent.js	3 Apr 2010 16:55:29 -0000
@@ -448,13 +448,20 @@ Drupal.overlay.bindChild = function (ifr
+  self.$container.dialog('option', 'title', childTitle);

For #18 don't we still need the checkPlain because of this?

Powered by Dreditor.

patch still applies (with offset).

When #668640: Overlay shouldn't be based on jQuery UI Dialog lands, we only need to add strip_tags() to "$variables['head_title'] = drupal_get_title();" in overlay_preprocess_html().

Re #28: #668640: Overlay shouldn't be based on jQuery UI Dialog is in. Looking forward to that patch. :)

Like this?

Yes

LOL, now you proposed this I realized we didn't even need to override the head_title :)

The head_title is being used for the <title> of the overlay iframe; this isn't visible anywhere. Why don't we just stop overriding it?

I don't really like a JS setting for this. What about using jQuery .text() on #overlay-title?

We do that all the time in Javascript; using id's and classes and expecting them to exist.

#36 protects us from the security concern, since the unescaped title won't be displayed in the case of a non-compliant theme, and that's the core of this issue and what is blocking us from moving ahead. It seems reasonable to me, especially if there's precedent in core.

[edit - dbl post]

While reviewing, we discovered that other menu titles in the overlay are vulnerable, not just the #overlay-title.

Example steps to reproduce:
1.) admin/structure/menu/manage/management

2.) Edit the 'System' link under Configuration, adding to the title

3.) From toolbar, with overlay enabled, click Configuration.

Results: XSS pop-up

So the sub-menu item titles are also affected.

#la-drupal code sprint

hmm. The above issue is not specific to overlay; it triggers with overlay off. Maybe it doesn't matter, since it requires administer menus to exploit? The concern would be if a user generated node were displayed in an overlay, so menu items are not especially relevant. Do I understand the issue correctly?

toolbar module was the bad apple.

A patch for the general menu title issue is here: #825982: admin menu blocks have XSS vulnerability

With the patch in #43 and #825982: admin menu blocks have XSS vulnerability I cannot reproduce the original issue. Looks good to me.

#la-drupal code sprint

Committed to CVS HEAD. Thanks.