Follow-up to #2510104: Convert drupalSettings from JavaScript to JSON, to allow for CSP in the future
Problem/Motivation
The current selector for the drupalSettings is:
var settingsElement = document.querySelector('script[type="application/json"][data-drupal-selector="drupal-settings-json"]');This means that when someone manages to place some drupalSettings on the page by exploiting XSS they could manipulate settings, which could potentially lead to a real XSS exploit.
Proposed resolution
Use a selector as true child of head or body instead:
var settingsElement = document.querySelector('head > script[type="application/json"][data-drupal-selector="drupal-settings-json"], body > script[type="application/json"][data-drupal-selector="drupal-settings-json"]');Remaining tasks
- Create patch
- Commit
User interface changes
- None
API changes
- None
