New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed: Sanitize text format names in hint below editor. #6065
Milestone
Comments
|
I pushed a PR for this that is ready for testing. |
|
Tested. Verified the lack of sanitization before; verified that the code change fixes the problem. Code looks good. WFM, RTBC. |
backdrop-ci
referenced
this issue
in backdrop/backdrop
Apr 19, 2023
backdrop-ci
referenced
this issue
in backdrop/backdrop
Apr 19, 2023
|
I merged in backdrop/backdrop#4406 into 1.x and 1.24.x. Thanks! Note that this issue is public and does not receive a CVE because any administrator that can configure a text format could easily allow Full HTML anywhere. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of the bug
The text format label is correctly sanitized on the text formats page, and in the select list on the
node/addpage, but in the hint below the text editor, it is not properly sanitized when the current text format changes. (In this scenario, the text is replaced by JavaScript).Steps To Reproduce
To reproduce the behavior:
test<script>alert('XSS');</script>node/add/pagepageThe text was updated successfully, but these errors were encountered: