The theme reaction makes section_title and section_subtitle available to page.tpl.php but doesn't wrap them in check_plain, which means those vars could contain malicious data.

CommentFileSizeAuthor
#6 context-theme-vars-security-3.x.patch1.23 KBSteven Jones
#6 context-theme-vars-security-2.x.patch1.12 KBSteven Jones
context_check_plain.patch976 bytesbblake
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

febbraro’s picture

febbraro CreditAttribution: febbraro commented

subscribe

jmiccolis’s picture

jmiccolis CreditAttribution: jmiccolis commented
Status: Active » Fixed

Thanks for the patch, it has been committed.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

jmiccolis’s picture

jmiccolis CreditAttribution: jmiccolis commented
Version: 7.x-3.0-alpha2 » 6.x-3.x-dev
Assigned: Unassigned » jmiccolis
Status: Closed (fixed) » Patch (to be ported)

I birdy told me that this may also need to be fixed in 6.x

coltrane’s picture

coltrane
he/him
CreditAttribution: coltrane commented

Section class should also be sanitized because a value of "><script>alert('class');</script><-- can escape the class attribute and get JS executed.

Note: this issue has been cleared by the Security Team because the permission 'administer site configuration' is required to enter malicious JS into these fields

Steven Jones’s picture

Steven Jones CreditAttribution: Steven Jones commented
FileSize
context-theme-vars-security-2.x.patch1.12 KB
context-theme-vars-security-3.x.patch1.23 KB

Patches for 6.x-2.x and 6.x-3.x attached.

jmiccolis’s picture

jmiccolis CreditAttribution: jmiccolis commented
Status: Patch (to be ported) » Fixed

I've applied the 3.x patch and Steven applied the 2.x one.

Thanks for the help! Setting to closed!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.