Code like

form_set_error('form', variable_get('distil_registration_errormsg'));

should be

form_set_error('form', filter_xss(variable_get('distil_registration_errormsg')));

So even admins can’t cause XSS problems.

Comments

drumm created an issue. See original summary.

drumm’s picture

drumm
he/him
Location NY, US
commented
Parent issue: » #2646358: Prevent multiple registrations by spammers
Mixologic’s picture

Mixologic
He/Him/His
Primary language English
Location Portland, OR
commented
Status: Active » Fixed

Also fixed.

  • Mixologic committed 138656b on 7.x-1.x 
    Issue #2647062: filters error messages to prevent xss
Mixologic’s picture

Mixologic
He/Him/His
Primary language English
Location Portland, OR
commented
Status: Fixed » Needs review

wrong status

drumm’s picture

drumm
he/him
Location NY, US
commented
Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.