I have found several spots in the code vulnerable to XSS exploits. Please add these patches:

--- /tmp/feeds/feeds.pages.inc	2010-05-04 17:24:58.000000000 -0400
+++ feeds/feeds.pages.inc	2010-07-14 10:17:18.000000000 -0400
@@ -29,7 +29,7 @@ function feeds_page() {
       }
       $rows[] = array(
         l($title, $link),
-        $importer->config['description'],
+        filter_xss($importer->config['description']),
       );
     }
   }

--- /tmp/feeds/feeds_ui/feeds_ui.admin.inc	2010-07-06 11:16:33.000000000 -0400
+++ feeds/feeds_ui/feeds_ui.admin.inc	2010-07-14 09:19:39.000000000 -0400
@@ -63,8 +63,8 @@ function feeds_ui_overview_form(&$form_s
   );
   foreach (feeds_importer_load_all(TRUE) as $importer) {
     $importer_form = array();
-    $importer_form['name']['#value'] = $importer->config['name'];
-    $importer_form['description']['#value'] = $importer->config['description'];
+    $importer_form['name']['#value'] = filter_xss($importer->config['name']);
+    $importer_form['description']['#value'] = filter_xss($importer->config['description']);
     if (empty($importer->config['content_type'])) {
       $importer_form['attached']['#value'] = '[none]';
     }
@@ -766,8 +766,8 @@ function theme_feeds_ui_mapping_form($fo
   if (is_array($form['#mappings'])) {
     foreach ($form['#mappings'] as $i => $mapping) {
       $rows[] = array(
-        $mapping['source'],
-        $mapping['target'],
+        filter_xss($mapping['source']),
+        filter_xss($mapping['target']),
         drupal_render($form['unique_flags'][$i]),
         drupal_render($form['remove_flags'][$i]),
       );
@@ -808,8 +808,8 @@ function theme_feeds_ui_mapping_form($fo
   $rows = array();
   foreach (element_children($form['legendset']['legend']['targets']) as $k) {
     $rows[] = array(
-      drupal_render($form['legendset']['legend']['targets'][$k]['name']),
-      drupal_render($form['legendset']['legend']['targets'][$k]['description']),
+      filter_xss(drupal_render($form['legendset']['legend']['targets'][$k]['name'])),
+      filter_xss(drupal_render($form['legendset']['legend']['targets'][$k]['description'])),
     );
   }
   $legend .= '<h4>'. t('Targets') .'</h4>';

--- /tmp/feeds/plugins/FeedsCSVParser.inc	2010-07-06 13:09:43.000000000 -0400
+++ feeds/plugins/FeedsCSVParser.inc	2010-07-14 10:16:23.000000000 -0400
@@ -71,7 +71,7 @@ class FeedsCSVParser extends FeedsParser
     $mappings = feeds_importer($this->id)->processor->config['mappings'];
     $sources = $uniques = array();
     foreach ($mappings as $mapping) {
-      $sources[] = $mapping['source'];
+      $sources[] = filter_xss($mapping['source']);
       if ($mapping['unique']) {
         $uniques[] = $mapping['source'];
       }
CommentFileSizeAuthor
#2 853974-2_xss.patch4 KBalex_b
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

budda’s picture

budda
Primary language English
Location Cheshire
CreditAttribution: budda commented
Status: Active » Needs work

Please attach the patch as a file to the comment.

alex_b’s picture

alex_b CreditAttribution: alex_b commented
Status: Needs work » Needs review
FileSize
853974-2_xss.patch4 KB

Above suggestions as patch using check_plain().

Testing now.

alex_b’s picture

alex_b CreditAttribution: alex_b commented
Status: Needs review » Fixed

This is committed, thank you.

http://drupal.org/cvs?commit=423236

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

NancyDru’s picture

NancyDru
she/her/hers
Primary language English
Location Boston
CreditAttribution: NancyDru commented

Note: This should not have been posted here. It should have been opened with the Security Team as a Security Advisory and the beta6 release tagged as such.