Security scans indicate that the usage of functions like 'json_decode' without proper validation and sanitization of argument can cause cross-site scripting issues.
Version -- 7.x-3.10
Sample -- context/plugins/context_reaction_block.inc
/**
* Compatibility wrapper around json_decode().
*/
protected function json_decode($json, $assoc = FALSE) {
// Requires PHP 5.2.
if (function_exists('json_decode')) {
return json_decode($json, $assoc); // No validation for arguments.
}
else {
watchdog('context', 'Please upgrade your PHP version to one that supports json_decode.');
}
}
Correct validation of the values to be added as argument for these functions can get rid of this vulnerability and make the project more secure.
Needs review
3.10
Code
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.