Version: 7.x-2.x-dev
Risk: not critical

openlayers_ui does not sanitize title and descriptions for maps on admin/structure/openlayers/maps. Adding a new map on admin/structure/openlayers/maps/add with Map Description "<script>alert('XSS');</script>" demonstrates an XSS exploit.

Of course an attacker needs the "administer openlayers" permission to place a malicious script snippet there, so this is rather boring. The permission is not marked as restricted in hook_permission(), so this is a small security issue.

This has been discussed with the Drupal security team: this vulnerability can be fixed publicly as per http://drupal.org/security-advisory-policy because it affects a branch (or branches) of a project that does not have a "stable release".

Comments

zzolo’s picture

zzolo CreditAttribution: zzolo commented

Thanks @klausi for catching that. I'll try to take care of it this week or next.

zzolo’s picture

zzolo CreditAttribution: zzolo commented

Addressed in 6.x-2.x: http://drupalcode.org/project/openlayers.git/commit/82127b3
And in 7.x-2.x: http://drupalcode.org/project/openlayers.git/commit/bec562b

Security Team, can confirm that this fixes things, then I can do a release. Thanks.

zzolo’s picture

zzolo CreditAttribution: zzolo commented

I have also set up two tags ready for release that basically only have the security fix on them.

zzolo’s picture

zzolo CreditAttribution: zzolo commented
Status: Active » Fixed

Released and told Security Team.

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

(not verified) CreditAttribution: commented
Issue summary: View changes

Updated issue summary.