Unsanitized output in role_delegation_delegate_roles_action_form() [#1193868]

Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.

Closed (fixed)

Project:

Role Delegation

Version:

7.x-1.0

Component:

Code

Priority:

Critical

Category:

Bug report

Assigned:

Andrew Schulman

Issue tags:

Security improvements about tags

Security improvements

It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it.
Do NOT publicly disclose security vulnerabilities; contact the security team instead.

Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Reporter:

Andrew Schulman

Created:

20 Jun 2011 at 10:07 UTC

Updated:

4 Jan 2014 at 00:53 UTC

Jump to comment: Most recent

role_delegation_delegate_roles_action_form() doesn't sanitize the value of the #title attribute in the form. The value is a role name, which is stored unsanitized in the database. It needs to be sanitized for output with check_plain().

The Drupal security team has cleared this bug to be fixed publicly.