Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Reported as security issue a while back, but as this is still in RC and the maintainer has not responded, I have added this a public issue:
Tested with 1.0-rc4 there is an non-persistent XSS vulnerability, URL:
http://example.org/twitter_pull_lazy/WFNT-PHNjcmlwdD5hbGVydCgnWFNTJyk7PC...
Will output an alert with XSS to the user.
Is this functionality used?
If so using check_plain on the title should fix the issue.
Comment | File | Size | Author |
---|---|---|---|
#1 | twitter_pull-escape_title_for_html-1971784.patch | 731 bytes | relaxnow |
Comments
Comment #1
relaxnow CreditAttribution: relaxnow commentedComment #2
jec006 CreditAttribution: jec006 commentedApparently my spam filter felt the security alert was spam and I didn't see it. In the 7.x branches I've elected to use filter_xss instead of check plain as people may wish to have some markup in their titles (i.e. strong, em etc).
This has been fixed in all branches.