Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The theme reaction makes section_title and section_subtitle available to page.tpl.php but doesn't wrap them in check_plain, which means those vars could contain malicious data.
Comment | File | Size | Author |
---|---|---|---|
#6 | context-theme-vars-security-3.x.patch | 1.23 KB | Steven Jones |
#6 | context-theme-vars-security-2.x.patch | 1.12 KB | Steven Jones |
context_check_plain.patch | 976 bytes | bblake | |
Comments
Comment #1
febbraro CreditAttribution: febbraro commentedsubscribe
Comment #2
jmiccolis CreditAttribution: jmiccolis commentedThanks for the patch, it has been committed.
Comment #4
jmiccolis CreditAttribution: jmiccolis commentedI birdy told me that this may also need to be fixed in 6.x
Comment #5
coltraneSection class should also be sanitized because a value of
"><script>alert('class');</script><--
can escape the class attribute and get JS executed.Note: this issue has been cleared by the Security Team because the permission 'administer site configuration' is required to enter malicious JS into these fields
Comment #6
Steven Jones CreditAttribution: Steven Jones commentedPatches for 6.x-2.x and 6.x-3.x attached.
Comment #7
jmiccolis CreditAttribution: jmiccolis commentedI've applied the 3.x patch and Steven applied the 2.x one.
Thanks for the help! Setting to closed!