By putting malicious data in the name or description fields for new feed importers, you can trigger XSS in the admin screen (/admin/build/feeds). The following patch fixes this:

--- old-feeds/feeds_ui/feeds_ui.admin.inc 2010-07-06 11:16:33.000000000 -0400
+++ feeds/feeds_ui/feeds_ui.admin.inc 2010-07-13 13:13:48.000000000 -0400
@@ -63,8 +63,8 @@ function feeds_ui_overview_form(&$form_s
);
foreach (feeds_importer_load_all(TRUE) as $importer) {
$importer_form = array();
- $importer_form['name']['#value'] = $importer->config['name'];
- $importer_form['description']['#value'] = $importer->config['description'];
+ $importer_form['name']['#value'] = filter_xss($importer->config['name']);
+ $importer_form['description']['#value'] = filter_xss($importer->config['description']);
if (empty($importer->config['content_type'])) {
$importer_form['attached']['#value'] = '[none]';
}

Comments

snoldak924’s picture

snoldak924 commented
Status: Active » Closed (fixed)