CVE-2017-6927: JavaScript cross-site scripting prevention is incomplete

March 1, 2018 (updated March 22, 2018)

Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output is not auto-escaped by either Drupal 7 or Drupal 8). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected.

References

www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6927
www.drupal.org/SA-CORE-2018-001

Code Behaviors & Features

Detect and mitigate CVE-2017-6927 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →