I was testing another issue patch and found this issue that can lead a website in a critical situation where only option would be to uninstall this module from the site, or will require deleting the script from the database manually
This is related to the XSS injection, if someone enter a script in the class or custom attribute field and place the block.
The script get executed each time the autocomplete ajax is triggered when editing existing block or placing a new block in block layout this can lead to possible xss injection attack.
Add validation before saving user entered values in database and do not allow saving any value containing any script in the database
Active
4.0
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
Security issues should not be reported here. Follow the procedure for reporting security issues → .
Now that this issue is closed, please review the contribution record.
As a contributor, attribute any organization helped you, or if you volunteered your own time.
Maintainers, please credit people who helped resolve this issue.