Disclaimer

There is a vulnerability in this module, which was made public in the issue queue several months ago (here and here). For this reason the module is considered unfit for production sites and marked unsupported until the vulnerability has been fixed.

The module can be used safely if you are careful with configurations of views (i.e. creating no views with access restrictions so the views do not need to be protected from certain users) and configuring input formats accordingly (i.e. only trusted users have access to this module).

Drupal Security Team

Also in D7 dev version or fixed there?

Comments

JohnnyX’s picture

Sorry, quote tag doesn't work...

insert_view seems the one and only possibility to insert a view inside a node body...

AlexisWilke’s picture

Title: "There is a vulnerability in this modul"? » "There is a vulnerability in this module"?

Note that the warning was about version 1.x. Someone made updates and created version 2.x (for Drupal 6 & 7) and supposedly removed the security issue. The truth is that the issue is about the possibility for any user to access any view using the module and not the module itself. So if you're the only person doing edits or all are trusted, you don't take much risks anyway.

Best,
Alexis Wilke

JohnnyX’s picture

Ok, thank's. I need views inserted into the body field at a site a maintain alone. So it should be no problem. And "insert_view" seems to be there is no other module to do this...

Also tested viewfield but view rendered inside an own field and insert it with a token doesn't work for me. I'll try insert_view soon :)

JohnnyX’s picture

Did a short test. Nice module! :)

AlexisWilke’s picture

viewfield probably has the same security issue as insert view. I don't need it very often, but when I do I like it. It's like the InsertNode module, which I took over for Drupal 6.x. 8-)

JohnnyX’s picture

But viewfield can't insert the view into the body node? Or am I wrong?
Maybe inserNode could also work for me but isn't Drupal 7 :)

insert_view should be the solution for me ;)

AlexisWilke’s picture

Actually I never tried viewfield. My last sentence was probably confusing... 8-)

I don't need insert_view very often...

Yes. As I mentioned, the main problem is the fact that you can display any view, including hidden ones. To avoid problems, you want to make sure that only trusted people can use the corresponding filter.

JohnnyX’s picture

OK, shouldn't be a problem in my case :)
Many thanks for help!

VM’s picture

Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.