A FILTER_MODE_BLACKLIST was added to the Xss
class. To call this dangerous is a serious understatement. People might get confused as to which one to use and a flawed call coupled with blacklist is a sechole. With the traditional whitelist, there is much less confusion and you need to straightforward enable insecure tags.
The optional $mode argument is gone from Filter::Xss
. Good riddance. Change notice at
https://www.drupal.org/node/2365293 β
Fixed
8.0 β°οΈ
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.