Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
Because the _stanley_icon_classes() function directly uses arg values without filtering, it is possible to perform XSS through this theme.
Here is a patch that just filters the created class via drupal_clean_css_identifier().
Comment | File | Size | Author |
---|---|---|---|
stanley_template_xss.patch | 844 bytes | kyoder |
Comments