Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
A security team we worked with on a recent project requested that we patch this module, and we're looking to see if this should get rolled into a release and if there's any feedback on the request for this change.
The update includes the following change to imce.page.inc, line 13:
$jsop = isset($_GET['jsop']) ? $_GET['jsop'] : NULL;
to:
$jsop = isset($_GET['jsop']) ? filter_xss($_GET['jsop']) : NULL;
Comment | File | Size | Author |
---|---|---|---|
#1 | add_filter_xss_to_get-2480451-01.patch | 510 bytes | r.aubin |
Comments
Comment #1
r.aubin CreditAttribution: r.aubin commentedComment #2
ufku CreditAttribution: ufku commentedSorry but that's not a security issue.
If you find one please report to the security team.
Comment #3
r.aubin CreditAttribution: r.aubin commentedThanks, ufku!