Opened 12 years ago

Closed 11 years ago

#179 closed Feature/Enhancement Request (fixed)

Customized Blog Names are potential XSS vectors

Reported by: alfredo Owned by: alfredo
Priority: Medium Component: Tech
Keywords: security Cc:
Sensitive: no


I have always hated the way Drupal names its blog so I've put in a special feature that allows people to name their own blog. It's not fully finished (drops after the first page) but it's on the way. You can name your blog by going to your account, clicking forbloggers and putting the name in the field for Blog name. Check it out.

BTW, if you don't do this, your regular blog name appears.

Code hacked in the page.tpl.php file. Needs functionalizing into template.php when finished or into a blog module if we can hook the profile effectively.

I think people will like this. :-) Comments?

Change History (10)

comment:1 Changed 12 years ago by alfredo

Owner: changed from Jamie McClelland to alfredo

comment:2 Changed 12 years ago by Jamie McClelland

Nice work Alfredo. If this code could be moved into a module it would definitely be the best way to go. Also - a request: when coding - can you indent when writing if/then and functions? I find your code very difficult to read when it's not indented.

And a final thought: It seems as though this code could be vulnerable to the same attack dkg identified in: #169. I think you should pass the variable returned from the database through strip_tags. As far as I can tell, this string should not be permitted to include any html or php code at all.

comment:3 Changed 11 years ago by alfredo

We'll be functionalizing all code and doing some security stuff on it as we move towards launch. I'll leave this open for now.

comment:4 Changed 11 years ago by Daniel Kahn Gillmor

Keywords: added

comment:5 Changed 11 years ago by Daniel Kahn Gillmor

Keywords: security added
Summary: Member can have Customized Blog Name on blog siteCustomized Blog Names are potential XSS vectors

comment:6 Changed 11 years ago by alfredo

We have no fix for this as yet. I know Jamie came up with two possible fixes in ticket #468 that is now closed. Neither is applicable though. :( This problem emanates from the profiles module which has no input type filter at all. The display, in page.tpl.php, uses check_markup. I'm not sure what the fix is but what we're saying doesn't appear to be it.

comment:7 Changed 11 years ago by Daniel Kahn Gillmor

Where is the code that displays the blog's name? Is that code available for review someplace?

Looking at my blog, i don't see that the XSS is still active, because "trouble" isn't wrapped in the span tags any more. I know it was active at some point in the past, but i'm not sure when it changed.

From your comment, it sounds to me like you're saying it's still a problem, Alfredo. What URL are you seeing that the javascript is triggered on?

comment:8 Changed 11 years ago by alfredo

It was popping up for me as of last night and right now I see the title of the blog in span tags...on the blog page.

But the popup isn't appearing now -- at least, it's not appearing very quickly.

I'll enclose the blog name code below. This is in page.tpl.php in the specific theme we're using for the blog.

		/* This hack substitutes Drupal's boring username blog title with the title chosen by the user in their profile. It puts this on top of lists and it puts it on top of every blog post in addition to that post's title. Since it incorporates the core title function we will leave it here in the main template rather than move it to template.php */
		if (arg(0) == 'blog') {
		$uid= arg(1);
		$blogname = check_markup($blogname,FILTER_FORMAT_DEFAULT);
		print '<h1'. ($tabs ? ' class="with-tabs"' : '') .'>'. $blogname .'</h1><br>';
		else {
		if ($node->type == 'blog') {
		$blogname = check_markup($blogname,FILTER_FORMAT_DEFAULT);
		if ($blogname!='') {
print '<h1'. ($tabs ? ' class="with-tabs"' : '') .'>...from '. $blogname .'</h1><p>';
		else {
print '<h1'. ($tabs ? ' class="with-tabs"' : '') .'>...from '. $blogusername .'\'s blog</h1><p>';

comment:9 Changed 11 years ago by Daniel Kahn Gillmor

The title of the blog on the bloglist page is sloppily rendered (tags should probably be stripped instead of converted with some form of htmlentities), but it's not a security vulnerability. How is the bloglist page rendered? The snippet above doesn't seem to cover that functionality.

The calls to check_markup in the script above seem to be sufficient to avoid any sort of XSS attack in the blog title. You can verify this by looking at the source of a blog page -- is there javascript in the blog title?

Is this theme committed to the MF/PL SVN repository someplace? If it isn't, would you consider putting it there? That would make it easier to keep track of when a change is made.

Thanks for tracking this down, Alfredo!

comment:10 Changed 11 years ago by Jamie McClelland

Resolution: fixed
Status: newclosed

I think this is a duplicate of #447 - so I'm closing. Please re-open if I'm misreading this ticket.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.