Commit d489a3ea authored by stella's avatar stella

SA-CONTRIB-2010-095 - http://drupal.org/node/919610 - fixes XSS vulnerability

and access bypass issues with modal content.
parent 7f63520e
...@@ -721,7 +721,7 @@ var Lightbox = { ...@@ -721,7 +721,7 @@ var Lightbox = {
var s = Drupal.settings.lightbox2; var s = Drupal.settings.lightbox2;
if (s.show_caption) { if (s.show_caption) {
var caption = Lightbox.imageArray[Lightbox.activeImage][1]; var caption = Lightbox.filterXSS(Lightbox.imageArray[Lightbox.activeImage][1]);
if (!caption) caption = ''; if (!caption) caption = '';
$('#caption').html(caption).css({'zIndex': '10500'}).show(); $('#caption').html(caption).css({'zIndex': '10500'}).show();
} }
...@@ -1154,8 +1154,25 @@ var Lightbox = { ...@@ -1154,8 +1154,25 @@ var Lightbox = {
checkKey: function(keys, key, code) { checkKey: function(keys, key, code) {
return (jQuery.inArray(key, keys) != -1 || jQuery.inArray(String(code), keys) != -1); return (jQuery.inArray(key, keys) != -1 || jQuery.inArray(String(code), keys) != -1);
} },
filterXSS: function(str, allowed_tags) {
var output = "";
$.ajax({
url: Drupal.settings.basePath + 'system/lightbox2/filter-xss',
data: {
'string' : str,
'allowed_tags' : allowed_tags,
},
type: "POST",
async: false,
dataType: "json",
success: function(data) {
output = data;
}
});
return output;
}
}; };
......
...@@ -193,3 +193,10 @@ function lightbox2_update_6002() { ...@@ -193,3 +193,10 @@ function lightbox2_update_6002() {
return array(); return array();
} }
/**
* Menu paths changed.
*/
function lightbox2_update_6003() {
return array();
}
...@@ -153,6 +153,13 @@ function lightbox2_perm() { ...@@ -153,6 +153,13 @@ function lightbox2_perm() {
function lightbox2_menu() { function lightbox2_menu() {
$items = array(); $items = array();
$items['system/lightbox2/filter-xss'] = array(
'title' => 'Filter XSS',
'page callback' => 'lightbox2_filter_xss',
'access callback' => TRUE,
'type' => MENU_CALLBACK,
);
$items['admin/settings/lightbox2'] = array( $items['admin/settings/lightbox2'] = array(
'title' => 'Lightbox2', 'title' => 'Lightbox2',
'description' => 'Allows the user to configure the lightbox2 settings', 'description' => 'Allows the user to configure the lightbox2 settings',
...@@ -206,19 +213,20 @@ function lightbox2_menu() { ...@@ -206,19 +213,20 @@ function lightbox2_menu() {
'weight' => 3, 'weight' => 3,
); );
if (module_exists('emfield') && module_exists('emvideo')) { if (module_exists('emfield') && module_exists('emvideo')) {
$items['video-cck/lightbox2'] = array( $items['video-cck/lightbox2/%node'] = array(
'page callback' => 'lightbox2_emvideo', 'page callback' => 'lightbox2_emvideo',
'access callback' => 'user_access', 'page arguments' => array(2),
'access arguments' => array('access content'), 'access callback' => 'node_access',
'access arguments' => array('view', 2),
'type' => MENU_CALLBACK, 'type' => MENU_CALLBACK,
); );
} }
if (module_exists('acidfree') && module_exists('video')) { if (module_exists('acidfree') && module_exists('video')) {
$items['node/%nid/lightframevideo'] = array( $items['node/%node/lightframevideo'] = array(
'page callback' => 'lightbox2_acidfree_video', 'page callback' => 'lightbox2_acidfree_video',
'page arguments' => array(1), 'page arguments' => array(1),
'access callback' => 'user_access', 'access callback' => 'lightbox2_acidfree_video_access',
'access arguments' => array('play video'), 'access arguments' => array(1),
'type' => MENU_CALLBACK, 'type' => MENU_CALLBACK,
); );
} }
...@@ -238,6 +246,16 @@ function lightbox2_menu() { ...@@ -238,6 +246,16 @@ function lightbox2_menu() {
return $items; return $items;
} }
/**
* Acidfree video access control.
*/
function lightbox2_acidfree_video_access($node) {
if (user_access('play video') && node_access('view', $node)) {
return TRUE;
}
return FALSE;
}
/** /**
* Implementation of hook_init(). * Implementation of hook_init().
*/ */
...@@ -1017,13 +1035,16 @@ function lightbox2_theme() { ...@@ -1017,13 +1035,16 @@ function lightbox2_theme() {
* @param id * @param id
* The video id. * The video id.
*/ */
function lightbox2_emvideo($nid, $width, $height, $field_name, $provider, $id) { function lightbox2_emvideo($node, $width, $height, $field_name, $provider, $id) {
$field = array(); $field = content_fields($field_name);
$field['widget']['video_width'] = $width; $field['widget']['video_width'] = $width;
$field['widget']['video_height'] = $height; $field['widget']['video_height'] = $height;
$field['widget']['video_autoplay'] = 1; $field['widget']['video_autoplay'] = 1;
$field['field_name'] = $field_name; if (!content_access('view', $field, NULL, $node)) {
$node = node_load($nid); drupal_access_denied();
return;
}
$items = $node->$field_name; $items = $node->$field_name;
if (is_array($items)) { if (is_array($items)) {
foreach ($items as $item) { foreach ($items as $item) {
...@@ -1080,15 +1101,14 @@ function lightbox2_preprocess_page(&$variables) { ...@@ -1080,15 +1101,14 @@ function lightbox2_preprocess_page(&$variables) {
/** /**
* Display the video object. * Display the video object.
* *
* Displays the video object for a specified nid. It is used for * displaying * Displays the video object for a specified nid. It is used for displaying
* videos in acidfree lists in a lightbox when the thumbnail is clicked on. It * videos in acidfree lists in a lightbox when the thumbnail is clicked on. It
* is only triggered for the url 'node/%nid/lightframevideo'. * is only triggered for the url 'node/%nid/lightframevideo'.
* *
* @param $nid * @param $node
* Unique identifier of the node. * The $node object.
*/ */
function lightbox2_acidfree_video($nid) { function lightbox2_acidfree_video($node) {
$node = node_load($nid);
print theme('video_player', $node); print theme('video_player', $node);
} }
...@@ -1329,3 +1349,15 @@ function lightbox2_views_api() { ...@@ -1329,3 +1349,15 @@ function lightbox2_views_api() {
'api' => '2.0', 'api' => '2.0',
); );
} }
function lightbox2_filter_xss() {
if (!empty($_POST['allowed_tags']) && $_POST['allowed_tags'] != 'undefined') {
$allowed_tags = explode(',', $_POST['allowed_tags']);
$output = filter_xss($_POST['string'], $allowed_tags);
}
else {
$output = filter_xss($_POST['string']);
}
drupal_json($output);
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment