Choice module allows XSS attack
Concerned version
Version: 1.9.15 on Debian 8
Summary
With the Choice module, it is possible to inject arbitrary Javascript code on the portal, even with the option checkXSS on.
Example : If you send this URL directly (without URI encoding) to the portal :
GET //?"><script>alert("XSSAttack")</script>"
You get an alert window on the portal.
The URI is inserted directly into the template without call to checkXSSAttack :
<!-- Forms -->
<div id="1Carte">
<form action="https://portal/?"><script>alert("XSSAttack")</script>"" method="post" class="login Card">
Backends used
Choice
Possible fixes
We propose this patch to prevent this attack.