On #2902178-10: Add title attribute to iframe (7.x) β , @dsnopek noticed that if you put HTML into at least some of the settings fields, and repeatedly click on the gear wheel and re-save, you end up with double-HTML-encoded values.
This is not a security problem, but it's buggy.
For example, add <script>alert("xss");</script> into various fields, submit, click gear, and you'll see instead <script>alert("blah")</script>. Submit and click again, and it will be double encoded again.
We should (a) add a test for this and (b) fix it.
It may also be a problem for 8.x, so this should be tested/fixed there too.
Closed: outdated
1.0
User interface
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.