Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
As reported in the Spread Firefox forums, there appears to be a filtering vulnerability when certain escaped characters are used to write out a script command launched from an href="javascript" link:
Demos
Comments
Comment #1
Steven CreditAttribution: Steven commentedFixed in CVS for head, 4.5 and 4.4.
Comment #2
(not verified) CreditAttribution: commented