The module currently passes important and potentially sensitive data between the main form and the confirmation page via URL query parameters. This includes encoded taxonomy term names, term IDs, total nodes, unpublished flags, and vocabulary IDs:
While functional, this approach has some drawbacks:
Use Drupal's private tempstore (private_tempstore) or $_SESSION to securely store this data across requests. This will:
This change will improve the security and maintainability of the module and align with standard Drupal practices. It will also pave the way for further enhancements (e.g., allowing users to resume pending operations or navigate back/forth more cleanly).
Active
1.0
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
Created a MR for this - https://git.drupalcode.org/project/taxonomy_term_replace/-/merge_requests/1