Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
When editing "in place" a field, if the field label contains HTML it is not sanitized and malicious code may be executed (but "Administer content types" permission is required, which should be given only to trusted administrators).
Comment | File | Size | Author |
---|---|---|---|
#2 | 1889376-field_label_checkplain-1.patch | 878 bytes | Wim Leers |
Comments
Comment #1
grisendo CreditAttribution: grisendo commentedComment #2
Wim LeersSimple fix; this is in line with what Field.module does in
core/modules/field/lib/Drupal/field/Plugin/Type/Widget/WidgetBase.php
:As the issue summary indicates, this is only a problem when malicious users have the
administer content types
permission.Comment #3
Wim LeersComment #4
swentel CreditAttribution: swentel commentedLooks good
Comment #5
webchickThat is un-good! Nice catch, grisendo!
Committed and pushed to 8.x. Thanks!
Comment #6
grisendo CreditAttribution: grisendo commentedSorry! Wrong post :P (and I can't delete this comment).