The Typogrify module brings the typographic refinements of Typogrify to Drupal. It provides a text filter and a Twig filter.
The typogrify Twig filter can be used to bypass the Twig auto-escape feature, leading to a persistent Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that it is only exposed when the twig filter is specifically used in a template to render content.
Install the latest version:
- If you use the Typogrify module for Drupal 10.x, upgrade to Typogrify 8.x-1.3
If you use the typogrify Twig filter provided by this module, then this update may cause double-encoding of text. See the updated README for best practices.
- Benji Fisher of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team