This was originally reported by alexpott to the Drupal Security Team, but is being made public since there is no actual vulnerability and it can be treated as a public bug.
Problem/Motivation
Drupal\Component\Utility\Xss::filter has the following behaviour:
HEAD
BEFORE: <IMG SRC= onmouseover="alert('xxs')"
AFTER: <IMG nmouseover="alert('xxs')">With patch
BEFORE: <IMG SRC= onmouseover="alert('xxs')"
AFTER: <IMG>You can see this vulnerability by running the test code below using "drush scr xss.php.txt"
<?php$strings = [
'<IMG SRC= onmouseover="alert(\'xxs\')"',
'<IMG onmouseover="alert(\'xxs\')"',
'<img src="http://example.com/foo.jpg" title="Example: title" alt="Example: alt">',
];
foreach ($strings as $original) {
$string = filter_xss($original, array('img'));
print "BEFORE: $original\nAFTER: $string\n\n";
}
Proposed resolution
Fix the logic so malformed attributes are stripped
Remaining tasks
review patch, backport.
User interface changes
n/a
API changes
n/a
Data model changes
n/a
