Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
User can change text at send to phone form after changing html disable attribute in the browser and send a message.
Comment | File | Size | Author |
---|---|---|---|
#6 | user_can_change_text-2232285-6.patch | 4.78 KB | almaudoh |
#5 | user_can_change_text-2232285-5.patch | 3.25 KB | almaudoh |
Comments
Comment #1
batje CreditAttribution: batje commentedcould you describe this a bit more clearly, like a step-by-step guide?
Comment #2
kaido.toomingas CreditAttribution: kaido.toomingas commentedYou can do this by using chrome developer tool and changing texts. Message field is disabled only client side. I guess if this text has to be in certain form then it should not be inside a real textfield.
Comment #3
batje CreditAttribution: batje commentedcan you provide a patch for this?
Comment #4
kaido.toomingas CreditAttribution: kaido.toomingas commentedSorry not really.. I just tested the module generally and noticed.
Comment #5
almaudoh CreditAttribution: almaudoh commentedI have looked at this issue. It is not necessarily a security vulnerability since a user may still have other privileges to send sms containing dangerous links. I have however implemented a fix that ensures that even if the user enables the textarea and changes the link from the client side, the inputted link is ignored while the original link is still sent in the sms.
Additionally, I have implemented the following:
However, this patch will not show the links properly until #2290429: sms_user attachment to user object not always initialized is fixed.
Comment #6
almaudoh CreditAttribution: almaudoh commentedUpdated patch.
Comment #8
almaudoh CreditAttribution: almaudoh commentedCommitted / pushed to 7.x-1.x.