• Advisory ID: DRUPAL-SA-CONTRIB-2009-019
  • Project: Localization client (third-party module)
  • Versions: 5.x, 6.x
  • Date: 2009-April-15
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross-site scripting (XSS)


The Localization client module allows you to translate the interface of your Drupal site from within each page as you go. When displaying translatable strings and their completed translations, the module does not escape the data. If used to translate the Drupal core interface, this is not a problem, since no user input is involved. However, when used with modules such as the Internationalization module suite or Views, user provided data is translated, making the module vulnerable to cross site scripting (XSS). This enables malicious users to insert arbitrary HTML and scripts into certain pages. Such an attack against sufficiently privileged users may lead to adminstrator access to the site.

Versions Affected

  • Versions of Localization client for Drupal 5.x prior to 5.x-1.2
  • Versions of Localization client for Drupal 6.x prior to 6.x-1.7

Drupal core is not affected. If you do not use the Localization client module, there is nothing you need to do.


Install the latest version.

Reported by

Grégoire Moreau

Fixed by

Roger Lopez, Alexander Hass, Bálint Csuthy, Jose A. Reyero and Gábor Hojtsy


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.