SECURITY non-persistent XSS [#1971784]

Reported as security issue a while back, but as this is still in RC and the maintainer has not responded, I have added this a public issue:

Tested with 1.0-rc4 there is an non-persistent XSS vulnerability, URL:
http://example.org/twitter_pull_lazy/WFNT-PHNjcmlwdD5hbGVydCgnWFNTJyk7PC...

Will output an alert with XSS to the user.

Is this functionality used?
If so using check_plain on the title should fix the issue.

Comment	File	Size	Author
#1	twitter_pull-escape_title_for_html-1971784.patch	731 bytes	relaxnow

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

relaxnow CreditAttribution: relaxnow commented 16 April 2013 at 14:32

File	Size
twitter_pull-escape_title_for_html-1971784.patch	731 bytes

Comment #2

jec006 CreditAttribution: jec006 commented 16 April 2013 at 14:58

Status:

Active

» Fixed

Apparently my spam filter felt the security alert was spam and I didn't see it. In the 7.x branches I've elected to use filter_xss instead of check plain as people may wish to have some markup in their titles (i.e. strong, em etc).

This has been fixed in all branches.

Comment #3

30 April 2013 at 15:00

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

SECURITY non-persistent XSS

Comments

Comment #1

Comment #2

Comment #3

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community