Version: 7.x-2.x-dev
Risk: not critical
openlayers_ui does not sanitize title and descriptions for maps on admin/structure/openlayers/maps. Adding a new map on admin/structure/openlayers/maps/add with Map Description "<script>alert('XSS');</script>
" demonstrates an XSS exploit.
Of course an attacker needs the "administer openlayers" permission to place a malicious script snippet there, so this is rather boring. The permission is not marked as restricted in hook_permission(), so this is a small security issue.
This has been discussed with the Drupal security team: this vulnerability can be fixed publicly as per http://drupal.org/security-advisory-policy because it affects a branch (or branches) of a project that does not have a "stable release".
Comments
Comment #1
zzolo CreditAttribution: zzolo commentedThanks @klausi for catching that. I'll try to take care of it this week or next.
Comment #2
zzolo CreditAttribution: zzolo commentedAddressed in 6.x-2.x: http://drupalcode.org/project/openlayers.git/commit/82127b3
And in 7.x-2.x: http://drupalcode.org/project/openlayers.git/commit/bec562b
Security Team, can confirm that this fixes things, then I can do a release. Thanks.
Comment #3
zzolo CreditAttribution: zzolo commentedI have also set up two tags ready for release that basically only have the security fix on them.
Comment #4
zzolo CreditAttribution: zzolo commentedReleased and told Security Team.
Comment #5.0
(not verified) CreditAttribution: commentedUpdated issue summary.