Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Today i try to erase a spam trackback and I cant. It is because the text of trackback has at the end a 'a' tag without closing it (and without text). The Confirm erase button is next to text and It become a button to that link and lose its funcionality of submit form.
efects:
- the button of confirm erase is made unusable
- the atacker can redirect to anywhere page with sesión and cookies of admin
I suppose is a general problem of every text field, but i cant probe it
page attached
(to erase i had to save that page in HD, modify formaction an del open a tag)
Comments
Comment #1
jamarier CreditAttribution: jamarier commentedI solved swapping 2 lines in trackback.module:
from:
drupal_set_message(t('Do you want to delete this trackback?'));
$output .= theme('trackback',$trackback_received,FALSE);
$output .= form(form_submit(t('Delete')));
print theme('page',$output);
to:
drupal_set_message(t('Do you want to delete this trackback?'));
$output .= form(form_submit(t('Delete')));
$output .= theme('trackback',$trackback_received,FALSE);
print theme('page',$output);
Comment #2
Pomliane CreditAttribution: Pomliane commentedThis version of TrackBack is not supported anymore. The issue is closed for this reason.
Please upgrade to a supported version and feel free to reopen the issue on the new version if applicable.
This issue has been automagically closed by a script.