[drupal-devel] [bug] XSS vulnerability in comments

Mogurito drupal-devel at drupal.org
Wed Sep 14 12:12:08 UTC 2005

Issue status update for 
Post a follow up: 

 Project:      Drupal
 Version:      4.6.0
 Component:    comment.module
 Category:     bug reports
 Priority:     critical
 Assigned to:  Mogurito
 Reported by:  Mogurito
 Updated by:   Mogurito
 Status:       patch (code needs review)
 Attachment:   http://drupal.org/files/issues/comment.module_13.diff (632 bytes)

The source code interpreted by the browser, have html comment with the
subject by each comment. For example, if we post a comment like
'Hello', Drupal write in the source code . But the problem come when a
post is send with special characters like 'Hello XSS', the comment in
the source code will be closed, provocating that "Hello XSS-->" string
will be show in the page. If the "Hello XSS" string will be replaced by
a script, we can get a XSS Attack.

Analize the subject string and replacing the special characters (, ')
for (<, >, ")

Adding this lines to the function comment_validate_form:
$edit['subject'] = ereg_replace("", ">", $edit['subject']);
$edit['subject'] = ereg_replace("\'", """, $edit['subject']);

- Sorry, but my english is not very cool.


More information about the drupal-devel mailing list