When editing "in place" a field, if the field label contains HTML it is not sanitized and malicious code may be executed (but "Administer content types" permission is required, which should be given only to trusted administrators).

Issue created in D8 core:
http://drupal.org/node/1889376

Comments

Assigned:Unassigned» nod_

Patch provided over at #1889376-1: Field label not sanitized.

Status:Active» Fixed

committed to 7.x-1.x, thanks :)

Issue tags:+Edit D7 Backport

Automatically closed -- issue fixed for 2 weeks with no activity.