- First commit to issue fork.
Recent patches for Form API, Filter module, and whatnot made me worry about D7's healthiness with regard to sanitation of user input on output.
The idea:
1) Enable all modules.
2) Grant all permissions.
3) Take menu router, fetch all router items having 'page callback' => 'drupal_get_form'.
4) Get all of those forms and insert <script>alert('XSS');</script> into all textfields and textareas. Submit.
5) Handle validation errors somehow. (Magic xpath trickery, but possible.)
6) Afterwards, fetch the menu router again, and visit any possible page in Drupal.
7) On every single page, assert that <script>alert('XSS');</script> is not contained in the raw output.
Needs work
11.0 🔥
base system
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.