This issue was discussed by the Drupal Security Team, and their decision was that this can be solved in a public issue.
When the issue was reported to the security team, @cilefen made the following observation:
> However, there are a few example files in the library, such as recaptcha-v2-checkbox-explicit.php, which contains the follow, which is basically identical to the example-captcha.php file you attached:
// The POST data here is unfiltered because this is an example.
// In production, *always* sanitise and validate your input'
?>
<h2><kbd>POST</kbd> data</h2>
<kbd><pre><?php var_export($_POST);?></pre></kbd>
Original report by @sarswatsudhakar references files in 7.x-2.2 which were later removed (https://git.drupalcode.org/project/recaptcha/-/blob/7.x-2.2/recaptcha-ph...)
> Line 76 of example-captcha.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. in below mention files
@larowlan attempted to exploit this on nginx and apache and was unable to.
From @poker10: remove the recaptcha-php/examples folder from 7.x-2.x version of the module. This is recommended so that the example code will not communicate insecure patterns.
Active
2.0
General
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
kim.pepper β credited greggles β .
kim.pepper β credited larowlan β .
Adding credits