Quantcast
Channel: Issues for Drupal core
Viewing all articles
Browse latest Browse all 295131

Module and theme names are not filtered on output.

$
0
0

Problem/Motivation

Especially with the growth of Features, and the ability to use update module to add/update themes and modules, it seems like a not entirely safe assumtion that what's in the .info file is safe text.

Also, there are modules that let you write themes, for example, via a starting from an existing theme as a template. In that case, a user with a lesser admin permission might be able to inject XSS.

We should sanitize all the elements of te .info file that may be displayed (or maybe jsut all) as a simple hardening.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet


Viewing all articles
Browse latest Browse all 295131

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>