HTML special characters in content type name

HTML special characters in the names of content types are not properly sanitized before being displayed on the settings page. I have included a patch for version 6.x-2.1 which could correct this issue.

As it would require administer content types to exploit it as an XSS vulnerability, it would not be considered a security issue based on the following public service announcement: http://drupal.org/node/372836

Comment	File	Size	Author
#1	og.admin_.inc_.patch	510 bytes	mbarbella
#1

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

mbarbella CreditAttribution: mbarbella commented 19 March 2010 at 13:15

File	Size
og.admin_.inc_.patch	510 bytes

Log in or register to post comments

amitaibu’s picture

Comment #2

Hebrew

Israel

CreditAttribution: amitaibu commented 19 March 2010 at 16:15

Priority:	Normal	» Critical
Status:	Active	» Needs review

Marking correct status - i'll review in the beginning of the week.

Log in or register to post comments

amitaibu’s picture

Comment #3

Hebrew

Israel

CreditAttribution: amitaibu commented 23 March 2010 at 14:32

Status:

Needs review

» Fixed

Fixed, thanks!

Log in or register to post comments

Comment #4

6 April 2010 at 14:40

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Log in or register to post comments