Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.as well as replying on the message.
Here is background:
If you use standard Full HTML filter then it is possible to run javascript code on you page to steal user cookie, e.g.
<script type="text/javascript">
alert(document.cookie);
</script>
This is sample code to show cookies, but you can write a code to pass cookies of every user, who loads the page, and therefore you take control over his account.
To prevent that I installed Safe HTML module. It strips potentially dangerous tags from you input. After installation you just have to check this inut format filter. And it works fine exept with Private Messages.
Can you fix that?
I think it is critically dangerous.
Comments
Comment #1
berdirPrivatemsg uses the default input format in 6.x-1.x and it's possible to choose it in 6.x-2.x.
If your default input format is insecure, then that is a misconfiguration and not a problem with Privatemsg.