In this file: easy_breadcrumb.blocks.inc

There is this php code:

$breadcrumb[] = '<span class="' . $classes . '">' . $segment_text . '</span>';

If a user goes to a page that doesn't exist, and if JS or HTML is included in the url, it will print this code straight onto the page. It should be updated to this:

$breadcrumb[] = '<span class="' . $classes . '">' . htmlspecialchars($segment_text) . '</span>';

We ran into this issue trying to get PCI compliance on a site that uses this module.

Comments

sonemonu’s picture

sonemonu CreditAttribution: sonemonu commented
Version: 7.x-1.16 » 7.x-1.17
Assigned: Unassigned » sonemonu
Status: Active » Closed (fixed)

Corrected in 7.x-1.17. Thanks!

Pierco’s picture

Pierco CreditAttribution: Pierco commented

I don't think it's enough because I can still execute some javascript with
something/something<img src="test.png" onload="alert()">/something using 7.x-2.9