The theme reaction makes section_title and section_subtitle available to page.tpl.php but doesn't wrap them in check_plain, which means those vars could contain malicious data.

Comments

subscribe

Status:Active» Fixed

Thanks for the patch, it has been committed.

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Version:7.x-3.0-alpha2» 6.x-3.x-dev
Assigned:Unassigned» jmiccolis
Status:Closed (fixed)» Patch (to be ported)

I birdy told me that this may also need to be fixed in 6.x

Section class should also be sanitized because a value of "><script>alert('class');</script><-- can escape the class attribute and get JS executed.

Note: this issue has been cleared by the Security Team because the permission 'administer site configuration' is required to enter malicious JS into these fields

Patches for 6.x-2.x and 6.x-3.x attached.

Status:Patch (to be ported)» Fixed

I've applied the 3.x patch and Steven applied the 2.x one.

Thanks for the help! Setting to closed!

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.