Active
Project:
Userpoints Node Access
Version:
6.x-1.x-dev
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
2 Aug 2010 at 08:51 UTC
Updated:
2 Aug 2010 at 08:51 UTC
While porting the module to Drupal 7, I noticed that it doesn't correctly escape page titles.
$params = array(
'uid' => $uid,
'points' => -$nodepoints,
'tid' => $tid,
'operation' => 'Substract',
'description' => t('User bought access to') . ' \'' . $node->title . '\'',
);
So if a node title contains javascript, it will be executed when a user does access any page where the description is displayed.
This module only has a -dev release, so it is ok to handle security issues through the issue qeue, in case someone wonders...
Patch should follow soon.