CSS class(es) input box accepts anything. Needs to validate for proper input disallowing html tags.

Repeatable: Always
Steps to repeat:
1. Install Block_class module
2. Visit the Admin >> Build >> Block
3. Configure any block
4. Enter alert(123); within script tags in CSS class(es) input box. It will accept it.

Comments

berenddeboer’s picture

Assigned: Unassigned » berenddeboer
Priority: Major » Normal
Status: Active » Closed (won't fix)

Not a major, as this is entered by people with admin capability, so they can basically already do anything.

I doubt how much we can do here however, being too strict might disallow certain possible class name.