Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
CSS class(es) input box accepts anything. Needs to validate for proper input disallowing html tags.
Repeatable: Always
Steps to repeat:
1. Install Block_class module
2. Visit the Admin >> Build >> Block
3. Configure any block
4. Enter alert(123); within script tags in CSS class(es) input box. It will accept it.
Comments
Comment #1
berenddeboer CreditAttribution: berenddeboer commentedNot a major, as this is entered by people with admin capability, so they can basically already do anything.
I doubt how much we can do here however, being too strict might disallow certain possible class name.