Install
Works with Drupal: 7.xUsing Composer to manage Drupal site dependencies
Downloads
Release notes
This release of 7.x-3.x fixes one security issue. Updating is strongly recommended for all users of the 7.x-3.x branch. See SA-CONTRIB-2015-063 - Webform - Cross Site Scripting (XSS) for details.
Security issue
When a webform is made available as a block, the node's title is used as the default block title. This title is not sufficiently sanitized, leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to administer blocks and create or edit webform nodes.
Changes since 7.x-3.21:
- #SA-152635 by DanChadwick: Fixed default block title.