When editing "in place" a field, if the field label contains HTML it is not sanitized and malicious code may be executed (but "Administer content types" permission is required, which should be given only to trusted administrators).

Issue created in D8 core:


Wim Leers’s picture

Assigned:Unassigned» nod_

Patch provided over at #1889376-1: Field label not sanitized.

nod_’s picture

Status:Active» Fixed

committed to 7.x-1.x, thanks :)

webchick’s picture

Issue tags:+Edit D7 Backport

Automatically closed -- issue fixed for 2 weeks with no activity.