Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This release addresses a cross-site scripting (XSS) vulnerability. Due to this vulnerability, a user could inject arbitrary scripts into pages affecting other site users. This could result in administrative account compromise leading to web server process compromise. This vulnerability is mitigated by the fact that an attacker must have the necessary permissions to administer blocks. SA-CONTRIB-2012-032 - Block Class - Cross Site scripting
Install patch: should properly update allowed class text to 255 characters.
Support for the block access module.
If vertical blocks is enabled, weight is now more on top.
• This release includes a fix for a cross-site scripting (XSS) vulnerability in which JavaScript could be inserted in the class field of a block's configuration interface.
• Additionally, unnecessary backticks were removed from some queries: #667382: Remove backticks.
This release includes a fix for a cross-site scripting (XSS) vulnerability in which JavaScript could be inserted in the class field of a block's configuration interface.