When editing "in place" a field, if the field label contains HTML it is not sanitized and malicious code may be executed (but "Administer content types" permission is required, which should be given only to trusted administrators).

Issue created in D8 core:


Wim Leers’s picture

Assigned: Unassigned » nod_
nod_’s picture

Status: Active » Fixed

committed to 7.x-1.x, thanks :)

webchick’s picture

Issue tags: +Edit D7 Backport

Automatically closed -- issue fixed for 2 weeks with no activity.