Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I have found several spots in the code vulnerable to XSS exploits. Please add these patches:
--- /tmp/feeds/feeds.pages.inc 2010-05-04 17:24:58.000000000 -0400
+++ feeds/feeds.pages.inc 2010-07-14 10:17:18.000000000 -0400
@@ -29,7 +29,7 @@ function feeds_page() {
}
$rows[] = array(
l($title, $link),
- $importer->config['description'],
+ filter_xss($importer->config['description']),
);
}
}
--- /tmp/feeds/feeds_ui/feeds_ui.admin.inc 2010-07-06 11:16:33.000000000 -0400
+++ feeds/feeds_ui/feeds_ui.admin.inc 2010-07-14 09:19:39.000000000 -0400
@@ -63,8 +63,8 @@ function feeds_ui_overview_form(&$form_s
);
foreach (feeds_importer_load_all(TRUE) as $importer) {
$importer_form = array();
- $importer_form['name']['#value'] = $importer->config['name'];
- $importer_form['description']['#value'] = $importer->config['description'];
+ $importer_form['name']['#value'] = filter_xss($importer->config['name']);
+ $importer_form['description']['#value'] = filter_xss($importer->config['description']);
if (empty($importer->config['content_type'])) {
$importer_form['attached']['#value'] = '[none]';
}
@@ -766,8 +766,8 @@ function theme_feeds_ui_mapping_form($fo
if (is_array($form['#mappings'])) {
foreach ($form['#mappings'] as $i => $mapping) {
$rows[] = array(
- $mapping['source'],
- $mapping['target'],
+ filter_xss($mapping['source']),
+ filter_xss($mapping['target']),
drupal_render($form['unique_flags'][$i]),
drupal_render($form['remove_flags'][$i]),
);
@@ -808,8 +808,8 @@ function theme_feeds_ui_mapping_form($fo
$rows = array();
foreach (element_children($form['legendset']['legend']['targets']) as $k) {
$rows[] = array(
- drupal_render($form['legendset']['legend']['targets'][$k]['name']),
- drupal_render($form['legendset']['legend']['targets'][$k]['description']),
+ filter_xss(drupal_render($form['legendset']['legend']['targets'][$k]['name'])),
+ filter_xss(drupal_render($form['legendset']['legend']['targets'][$k]['description'])),
);
}
$legend .= '<h4>'. t('Targets') .'</h4>';
--- /tmp/feeds/plugins/FeedsCSVParser.inc 2010-07-06 13:09:43.000000000 -0400
+++ feeds/plugins/FeedsCSVParser.inc 2010-07-14 10:16:23.000000000 -0400
@@ -71,7 +71,7 @@ class FeedsCSVParser extends FeedsParser
$mappings = feeds_importer($this->id)->processor->config['mappings'];
$sources = $uniques = array();
foreach ($mappings as $mapping) {
- $sources[] = $mapping['source'];
+ $sources[] = filter_xss($mapping['source']);
if ($mapping['unique']) {
$uniques[] = $mapping['source'];
}
Comment | File | Size | Author |
---|---|---|---|
#2 | 853974-2_xss.patch | 4 KB | alex_b |
Comments
Comment #1
buddaPlease attach the patch as a file to the comment.
Comment #2
alex_b CreditAttribution: alex_b commentedAbove suggestions as patch using check_plain().
Testing now.
Comment #3
alex_b CreditAttribution: alex_b commentedThis is committed, thank you.
http://drupal.org/cvs?commit=423236
Comment #5
NancyDruNote: This should not have been posted here. It should have been opened with the Security Team as a Security Advisory and the beta6 release tagged as such.