Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When editing "in place" a field, if the field label contains HTML it is not sanitized and malicious code may be executed (but "Administer content types" permission is required, which should be given only to trusted administrators).
Comment | File | Size | Author |
---|---|---|---|
#2 | 1889376-field_label_checkplain-1.patch | 878 bytes | Wim Leers |
Comments
Comment #1
grisendo CreditAttribution: grisendo commentedComment #2
Wim LeersSimple fix; this is in line with what Field.module does in
core/modules/field/lib/Drupal/field/Plugin/Type/Widget/WidgetBase.php
:As the issue summary indicates, this is only a problem when malicious users have the
administer content types
permission.Comment #3
Wim LeersComment #4
swentel CreditAttribution: swentel commentedLooks good
Comment #5
webchickThat is un-good! Nice catch, grisendo!
Committed and pushed to 8.x. Thanks!
Comment #6
grisendo CreditAttribution: grisendo commentedSorry! Wrong post :P (and I can't delete this comment).