Potential security hole? Check plain user input "match"? [#2111361]

Wouldn't it make sense to check_plain() the $match Variable in videojs_filter.module on line 161?

Currently the content of the filter tags is used without any security checks, as it seems and that might be a potential security hole in my eyes, because users may input dangerous code into the videojs content.
May someone else have at look at that perhaps?

My suggestion is simple:

  foreach ($matches[0] as $match) {
    $attr = array();
    $file = array();
    $orig_match[] = $match;
// Modification here:
    $match = str_replace(array('[', ']', '{', '}'), '', check_plain($match));
    $options = explode('|', $match);

Comments

Comment #1

yaremchuk commented 14 October 2013 at 14:47

Status:

Active

» Needs review

Hi Julian,

I'm appreciated for you interest to the module.

I will be glad if you join to maintainers of this module.
I have add you.

Please add your ideas to the module,
I think it will be good if commits will be belong to you.

Best,
Vasily

Comment #1.0

yaremchuk commented 14 October 2013 at 14:47

Issue summary:

View changes

Correction in code.

Potential security hole? Check plain user input "match"?

Comments

Comment #1

Comment #1.0

News items

Our community

Documentation

Drupal code base

Governance of community