Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
In this file: easy_breadcrumb.blocks.inc
There is this php code:
$breadcrumb[] = '<span class="' . $classes . '">' . $segment_text . '</span>';
If a user goes to a page that doesn't exist, and if JS or HTML is included in the url, it will print this code straight onto the page. It should be updated to this:
$breadcrumb[] = '<span class="' . $classes . '">' . htmlspecialchars($segment_text) . '</span>';
We ran into this issue trying to get PCI compliance on a site that uses this module.
Comments
Comment #1
sonemonu CreditAttribution: sonemonu commentedCorrected in 7.x-1.17. Thanks!
Comment #2
Pierco CreditAttribution: Pierco commentedI don't think it's enough because I can still execute some javascript with
something/something<img src="test.png" onload="alert()">/something
using 7.x-2.9