Themers and Developers consider $title safe in node.tpl.php.
$title is still set, but is now insecure while it has been secure since 2007. As it will continue to work, developers will just continue using D7 templates, create code by old habits, etc. and such accidentally introduce XSS issues.
Change $label to $title in node.tpl.php (or node.twig once basic node.twig is in with autoescape off) and use title of
Suggested resolution (for this issue):
or make secure via check_plain() after the node object has been flatted with code like this:
// Flatten the node entity's member fields.
$variables = array_merge((array) $node, $variables);
_This_ introduces the XSS and this is really difficult to see that a simple change from title to label could have such consequences.
Lets fix it. (Shameless plug: With twig and autoescape enabled $title would automatically be secure ;-) )
PASSED: [[SimpleTest]]: [MySQL] 46,868 pass(es).
FAILED: [[SimpleTest]]: [MySQL] 46,299 pass(es), 2 fail(s), and 1,483 exception(s).
PASSED: [[SimpleTest]]: [MySQL] 46,316 pass(es).
PASSED: [[SimpleTest]]: [MySQL] 46,238 pass(es).