Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Wouldn't it make sense to check_plain() the $match Variable in videojs_filter.module on line 161?
Currently the content of the filter tags is used without any security checks, as it seems and that might be a potential security hole in my eyes, because users may input dangerous code into the videojs content.
May someone else have at look at that perhaps?
My suggestion is simple:
foreach ($matches[0] as $match) {
$attr = array();
$file = array();
$orig_match[] = $match;
// Modification here:
$match = str_replace(array('[', ']', '{', '}'), '', check_plain($match));
$options = explode('|', $match);
Comments
Comment #1
yaremchuk commentedHi Julian,
I'm appreciated for you interest to the module.
I will be glad if you join to maintainers of this module.
I have add you.
Please add your ideas to the module,
I think it will be good if commits will be belong to you.
Best,
Vasily
Comment #1.0
yaremchuk commentedCorrection in code.