Subj. like:

[{"command":"settings","settings":{"basePath":"\/","pathPrefix":"","ajaxPageState":{"theme":"support","theme_token":"STHhpT9tnkmp2Zl0qYhW79Xb8Wd8CxaVG-kpOjqCsVY"},"quote_nest":"5"},"merge":true},{"command":"insert","method":"replaceWith","selector":"#timer","data":"\u003Cdiv id=\u0027timer\u0027\u003E\u003Cspan class=\u0027jst_timer\u0027\u003E\n    \u003Cspan class=\u0027interval\u0027 style=\u0027display: none;\u0027\u003E1800\u003C\/span\u003E\n    \u003Cspan class=\u0027format_txt\u0027 style=\u0027display:none;\u0027\u003E%hours%:%mins%:%secs%\u003C\/span\u003E\n    \u003C\/span\u003E\u003C\/div\u003E","settings":null}]

Not sure does it represent security issue, but anyway it is not nice to see it.

Comments

nickonom created an issue. See original summary.

louis delacretaz’s picture

louis delacretaz commented

Is also outputed from 7.x-4.5

johnennew’s picture

johnennew commented
Version: 7.x-5.x-dev » 7.x-4.x-dev

This URL is a system url for ajax requests the module makes, it is not intended for a person to visit the url directly. There are many similar examples of this inside of the main Drupal core codebase. It is not a security risk.

Please describe the steps you took to arrive at that url and see that output.

nickonom’s picture

nickonom commented

I don't remember how exactly, but I ended up on that screen on autologout, so the module definitely needs to do things differently to prevent it.

deaom’s picture

deaom commented
Status: Active » Closed (works as designed)

If you do not know how to reproduce it, so can't we, so we can not test it. I'm closing this one, and it can be reopened if it occurs again and steps to reproduce it are provided.