We output the label to the autocomplete JSON without encoding it first.

Initially reported as a security issue by Thijs Zoon.

Comments

Damien Tournoud’s picture

Status:Active» Fixed

Fixed in ef75fff, merged into 7.x-1.x.

Automatically closed -- issue fixed for 2 weeks with no activity.