Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The revision unpublish form outputs the node title using !placeholder in t() so it is vulnerable to XSS. There are also PHP strict issues when using drupal_render(drupal_get_form()) as you have to separate the calls out since drupal_render() expects a reference.
Comment | File | Size | Author |
---|---|---|---|
#4 | 1093722-wbmod-xss-misc.patch | 7.02 KB | Dave Reid |
#2 | 1093722-wbmod-xss-misc.patch | 7.02 KB | Dave Reid |
#1 | 1093722-wbmod-xss-misc.patch | 7.94 KB | Dave Reid |
Comments
Comment #1
Dave ReidComment #2
Dave ReidWithout debugging code this time.
Comment #3
stevectorThanks Dave. I patched my version and everything seemed fine. Anyone else want to test this before moving it in?
Comment #4
Dave ReidFound a bug with the change of placeholder replacements. This one should be good to roll.
Comment #5
muriqui CreditAttribution: muriqui commentedPatch works for me. Messages look good, annoying strict warnings are gone.
Comment #6
Dave ReidCommitted to Git.
http://drupalcode.org/project/workbench_moderation.git/commit/c316125