I am reporting https://www.drupal.org/requirements to moderators because:

in documentation stated that

Drupal 7: PHP 5.2.5 or higher (5.3 recommended).

Fresh installation of Drupal 7 on PHP 5.4, 5.5 allow xss

Steps to reproduce the issue:

install Drupal with php 5.4, 5.5
add <img> tag to allowed tags for Filtered HTML text format
create Basic Page with Body in Filtered HTML text format and content <img src=" &#14; javascript:alert(0)">
Save Page
View page content - it is not filtered for javascript.

Please clarify documentation about versions of PHP for Drupal 7
I did not reported this in Drupal Core issues because in PHP 5.3 content is filtered.

CommentFileSizeAuthor
oisx76.jpg151.21 KBandribas
ay58c8.jpg100.22 KBandribas

Comments

killes@www.drop.org’s picture

killes@www.drop.org commented

unpublishing as a security vulnerabilty is mentioned.

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented
Status: Active » Closed (duplicate)

Republished, this is a duplicate of #1210798: In PHP 5.4+, html_entity_decode() doesn't decode invalid numeric entities.

This is only a problem in IE6.

andribas’s picture

andribas commented
Status: Closed (duplicate) » Active

Actually , this was request for clarification - is it safe to run Drupal 7 on php 5.4+?
For this comment https://www.drupal.org/requirements#comment-9402681

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented
Status: Active » Closed (duplicate)

Yes, it is safe to run Drupal 7 on PHP 5.4+.

pwolanin’s picture

pwolanin commented
Title: Moderation report for System requirements » possible Xss on php 5.4+