#Needs security review

Open on Drupal.org →

⚡️ Live updates comments, jobs, and issues, tagged with #Needs security review will update issues and activities on this page.

Issues

The last 100 updated issues.

🐛
Use email verification when changing user email addresses
Needs work
Drupal core 10.1 — user.module
Created almost 19 years ago
🇬🇧United Kingdom AjK
1 day ago
🐛
ValidReferenceConstraintValidator should not try to enforce data integrity on pre-existing references
Needs review
Drupal core 10.1 — entity_reference.module
Created about 7 years ago
🇮🇳India nghai
11 days ago
🐛
\Drupal\Core\Security\PharExtensionInterceptor is incompatible with GeoIP and other libraries that use phar aliases or Phar::mapPhar()
Needs work
Drupal core 10.1 — bootstrap system
Created over 6 years ago
🇺🇸United States samuel.mortenson
30 days ago
📌
[policy, no patch] Secondary subdomain for viewing oEmbed content is confusing and pointless
Active
Drupal core 10.1 — media system
Created over 4 years ago
🇺🇸United States phenaproxima
about 1 month ago
📌
[1.0.x] JSON to Content Type Builder
Active
JSON to Content Type Builder 1.0
Created about 1 month ago
guri221
about 1 month ago
📌
Don't automatically set a cookie domain
Needs review
Drupal core 10.1 — base system
Created over 7 years ago
🇬🇧United Kingdom alexpott
2 months ago
📌
Check for common words in password strength indicators
Needs work
Drupal core 11.0 — user.module
Created over 13 years ago
🇺🇸United States webkenny
2 months ago
🐛
Url only outputs the last value of a query parameter
Needs work
Drupal core 10.1 — routing system
Created over 6 years ago
🇵🇱Poland blazey
3 months ago
🐛
Allow password reset on account w username matching another email. Prevent registrations which match another account
Needs review
Drupal core 10.1 — user.module
Created over 13 years ago
🇺🇸United States hefox
3 months ago
📌
[1.0.x] Video Embed ChampDS
Active
Drupal.org security advisory coverage applications
Created 3 months ago
🇮🇳India pmkanse
3 months ago
📌
[1.0.x]Paragraph Locator
Active
Drupal.org security advisory coverage applications
Created about 1 year ago
🇨🇦Canada deepak5423
4 months ago
📌
Possible security issue for the voting route
Active
Like & Dislike 2.0
Created 5 months ago
🇺🇦Ukraine HitchShock
5 months ago
📌
Do not use the .php extension in mtime protected storage to work around bogus PHP extensions
Needs work
Drupal core 10.1 — base system
Created about 5 years ago
ayushst
5 months ago
🐛
Should "iFrame domain" also set "X-Frame-Options" header
Active
Drupal core 11.0 — media system
Created almost 6 years ago
🇩🇰Denmark osman
5 months ago
📌
GET forms MUST NOT have CSRF tokens
Needs work
Drupal core 11.0 — forms system
Created almost 10 years ago
🇧🇪Belgium wim leers
6 months ago
📌
[1.0.x] Domain Access Webform
Active
Drupal.org security advisory coverage applications
Created about 1 year ago
ajay-mallah
6 months ago
🐛
User email should not be case sensitive
Postponed
Drupal core 10.1 — user.module
Created about 10 years ago
tvn
6 months ago
✨
Create a global "kill switch" for Package Manager
Needs review
Automatic Updates 3.0
Created over 3 years ago
🇺🇸United States phenaproxima
6 months ago
📌
Security review for 8.x-1.0
Active
Resource Hints 1.0
Created over 8 years ago
🇺🇸United States bighappyface
7 months ago
🐛
Dots in query parameter names converted to underscores
Needs work
Drupal core 9.5 — menu system
Created about 7 years ago
🇺🇸United States awolfey
10 months ago
✨
Allow to change upload formats for managed_file
Needs work
Menu Link Attributes 1.0
Created about 2 years ago
🇺🇦Ukraine NotifyOne
12 months ago
🌱
Consider using phpstorage for update module
Closed: outdated
Drupal core 11.0 — update.module
Created about 9 years ago
🇬🇧United Kingdom catch
about 1 year ago
🐛
User must be logged-in to use the cancel account link that is emailed
Needs work
Drupal core 11.0 — user.module
Created over 8 years ago
🇬🇧United Kingdom xiwar
about 1 year ago
✨
Allow the use of symlinks within the files directory.
Needs work
Drupal core 11.0 — file system
Created over 14 years ago
🇺🇸United States tekante
over 1 year ago
📌
Password reset form error makes no sense when the account is locked
Needs work
Drupal core 11.0 — user system
Created over 2 years ago
🇨🇳China xiukun.zhou
over 1 year ago
🐛
"Restrict images to this site" restricts images that, by definition, *are* on this site.
Needs work
Drupal core 11.0 — filter.module
Created almost 7 years ago
🇺🇸United States ben coleman
over 1 year ago
🐛
Avoid overwriting .htaccess changes during scaffolding > security problem
Needs work
Drupal core 11.0 — composer
Created over 5 years ago
🇺🇸United States becw
over 1 year ago
📌
[PP-1] Add security checking for Symfony Mailer transports
Postponed
Drupal core 11.0 — mail system
Created almost 2 years ago
🇬🇧United Kingdom adamps
almost 2 years ago
✨
Allow README.md to optionally render as the project page
Fixed
Drupal.org customizations 3.0
Created about 13 years ago
🇺🇸United States cashwilliams
almost 2 years ago
🐛
Stream wrappers don't decode url encoded URIs
Needs work
Drupal core 9.5 — file system
Created over 13 years ago
🇨🇭Switzerland berdir
almost 2 years ago
💬
Apply for Drupal Security Advisory Coverage
Closed: duplicate
Advanced Link Attributes 2.5
Created about 2 years ago
🇨🇦Canada aastrong
almost 2 years ago
📌
Please opt into security advisory coverage
Closed: duplicate
Widen Collective 1.0
Created almost 8 years ago
🇺🇸United States john.oltman
almost 2 years ago
🐛
text_summary() returns a plain string, even if passed a MarkupInterface object
Needs work
Drupal core 11.0 — text.module
Created about 6 years ago
🇺🇸United States effulgentsia
about 2 years ago
📌
Deprecate the "Full HTML" text format in Standard and Umami in favor of a "content editor HTML" for content editor roles
Active
Drupal core 11.0 — filter.module
Created over 5 years ago
🇦🇺Australia larowlan
about 2 years ago
✨
Allow selection of which folder a file is to on the file/add form
Needs review
File Entity (fieldable files) 2.0
Created about 12 years ago
🇺🇸United States dave reid
over 2 years ago
📌
Add YAML support to serialization module
Needs work
Drupal core 10.1 — serialization.module
Created over 12 years ago
🇬🇧United Kingdom damiankloip
over 2 years ago
🐛
make x-frame-options configurable
Postponed
Drupal core 10.1 — request processing system
Created over 9 years ago
🇨🇭Switzerland yobottehg
over 2 years ago
🐛
The XSS filter should allow more HTML entities
Needs work
Drupal core 10.1 — base system
Created almost 6 years ago
🇨🇿Czech Republic martin_klima
over 2 years ago
🐛
MapItem unserialize function in setValue method should allow TranslatableMarkup class
Needs work
Drupal core 10.1 — field system
Created over 6 years ago
🇭🇷Croatia xSDx
over 2 years ago
🐛
Xss::filter() does not handle HTML tags inside attribute values
Closed: duplicate
Drupal core 10.1 — filter.module
Created almost 4 years ago
🇬🇧United Kingdom longwave
over 2 years ago
✨
Drupal 10 compatibility
Fixed
jQuery UI 1.0
Created over 3 years ago
🇺🇸United States effulgentsia
over 2 years ago
🐛
htmlspecialchars() expects parameter 1 to be string, array given
Needs work
Drupal core 9.5 — markup
Created about 6 years ago
🇧🇬Bulgaria Plamen.Penev
over 2 years ago

Activities

The last 7 days of comments and CI jobs.

Comment 1 day ago →
🇨🇭Switzerland znerol
Rebased for OOP hook conversion.
in Drupal core » Use email verification when changing user email addresses
Comment 2 days ago →
🇨🇭Switzerland znerol
From the IS:

Don't re-use user_mail_notify or mutate the email on a cloned version of the user in case someone calls ::save() on it

I think this would be straight forward to implement after 📌 Extract _user_mail_notify() into a user MailHandler Active .
in Drupal core » Use email verification when changing user email addresses

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024

#Needs security review

Issues

Use email verification when changing user email addressesNeeds workDrupal core 10.1 — user.module Created almost 19 years ago

ValidReferenceConstraintValidator should not try to enforce data integrity on pre-existing referencesNeeds reviewDrupal core 10.1 — entity_reference.module Created about 7 years ago

\Drupal\Core\Security\PharExtensionInterceptor is incompatible with GeoIP and other libraries that use phar aliases or Phar::mapPhar()Needs workDrupal core 10.1 — bootstrap system Created over 6 years ago

[policy, no patch] Secondary subdomain for viewing oEmbed content is confusing and pointlessActiveDrupal core 10.1 — media system Created over 4 years ago

[1.0.x] JSON to Content Type BuilderActiveJSON to Content Type Builder 1.0 Created about 1 month ago

Don't automatically set a cookie domainNeeds reviewDrupal core 10.1 — base system Created over 7 years ago

Check for common words in password strength indicatorsNeeds workDrupal core 11.0 — user.module Created over 13 years ago

Url only outputs the last value of a query parameterNeeds workDrupal core 10.1 — routing system Created over 6 years ago

Allow password reset on account w username matching another email. Prevent registrations which match another accountNeeds reviewDrupal core 10.1 — user.module Created over 13 years ago

[1.0.x] Video Embed ChampDSActiveDrupal.org security advisory coverage applications Created 3 months ago

[1.0.x]Paragraph LocatorActiveDrupal.org security advisory coverage applications Created about 1 year ago

Possible security issue for the voting routeActiveLike & Dislike 2.0 Created 5 months ago

Do not use the .php extension in mtime protected storage to work around bogus PHP extensionsNeeds workDrupal core 10.1 — base system Created about 5 years ago

Should "iFrame domain" also set "X-Frame-Options" header ActiveDrupal core 11.0 — media system Created almost 6 years ago

GET forms MUST NOT have CSRF tokensNeeds workDrupal core 11.0 — forms system Created almost 10 years ago

[1.0.x] Domain Access WebformActiveDrupal.org security advisory coverage applications Created about 1 year ago

User email should not be case sensitivePostponedDrupal core 10.1 — user.module Created about 10 years ago

Create a global "kill switch" for Package ManagerNeeds reviewAutomatic Updates 3.0 Created over 3 years ago

Security review for 8.x-1.0ActiveResource Hints 1.0 Created over 8 years ago

Dots in query parameter names converted to underscoresNeeds workDrupal core 9.5 — menu system Created about 7 years ago

Allow to change upload formats for managed_fileNeeds workMenu Link Attributes 1.0 Created about 2 years ago

Consider using phpstorage for update moduleClosed: outdatedDrupal core 11.0 — update.module Created about 9 years ago

User must be logged-in to use the cancel account link that is emailedNeeds workDrupal core 11.0 — user.module Created over 8 years ago

Allow the use of symlinks within the files directory.Needs workDrupal core 11.0 — file system Created over 14 years ago

Password reset form error makes no sense when the account is lockedNeeds workDrupal core 11.0 — user system Created over 2 years ago

"Restrict images to this site" restricts images that, by definition, *are* on this site.Needs workDrupal core 11.0 — filter.module Created almost 7 years ago

Avoid overwriting .htaccess changes during scaffolding > security problemNeeds workDrupal core 11.0 — composer Created over 5 years ago

[PP-1] Add security checking for Symfony Mailer transportsPostponedDrupal core 11.0 — mail system Created almost 2 years ago

Allow README.md to optionally render as the project pageFixedDrupal.org customizations 3.0 Created about 13 years ago

Stream wrappers don't decode url encoded URIsNeeds workDrupal core 9.5 — file system Created over 13 years ago

Apply for Drupal Security Advisory Coverage Closed: duplicateAdvanced Link Attributes 2.5 Created about 2 years ago

Please opt into security advisory coverageClosed: duplicateWiden Collective 1.0 Created almost 8 years ago

text_summary() returns a plain string, even if passed a MarkupInterface objectNeeds workDrupal core 11.0 — text.module Created about 6 years ago

Deprecate the "Full HTML" text format in Standard and Umami in favor of a "content editor HTML" for content editor rolesActiveDrupal core 11.0 — filter.module Created over 5 years ago

Allow selection of which folder a file is to on the file/add formNeeds reviewFile Entity (fieldable files) 2.0 Created about 12 years ago

Add YAML support to serialization moduleNeeds workDrupal core 10.1 — serialization.module Created over 12 years ago

make x-frame-options configurablePostponedDrupal core 10.1 — request processing system Created over 9 years ago

The XSS filter should allow more HTML entitiesNeeds workDrupal core 10.1 — base system Created almost 6 years ago

MapItem unserialize function in setValue method should allow TranslatableMarkup classNeeds workDrupal core 10.1 — field system Created over 6 years ago

Xss::filter() does not handle HTML tags inside attribute valuesClosed: duplicateDrupal core 10.1 — filter.module Created almost 4 years ago

Drupal 10 compatibilityFixedjQuery UI 1.0 Created over 3 years ago

htmlspecialchars() expects parameter 1 to be string, array givenNeeds workDrupal core 9.5 — markup Created about 6 years ago

Activities

Use email verification when changing user email addresses
Needs work
Drupal core 10.1 — user.module
Created almost 19 years ago

ValidReferenceConstraintValidator should not try to enforce data integrity on pre-existing references
Needs review
Drupal core 10.1 — entity_reference.module
Created about 7 years ago

\Drupal\Core\Security\PharExtensionInterceptor is incompatible with GeoIP and other libraries that use phar aliases or Phar::mapPhar()
Needs work
Drupal core 10.1 — bootstrap system
Created over 6 years ago

[policy, no patch] Secondary subdomain for viewing oEmbed content is confusing and pointless
Active
Drupal core 10.1 — media system
Created over 4 years ago

[1.0.x] JSON to Content Type Builder
Active
JSON to Content Type Builder 1.0
Created about 1 month ago

Don't automatically set a cookie domain
Needs review
Drupal core 10.1 — base system
Created over 7 years ago

Check for common words in password strength indicators
Needs work
Drupal core 11.0 — user.module
Created over 13 years ago

Url only outputs the last value of a query parameter
Needs work
Drupal core 10.1 — routing system
Created over 6 years ago

Allow password reset on account w username matching another email. Prevent registrations which match another account
Needs review
Drupal core 10.1 — user.module
Created over 13 years ago

[1.0.x] Video Embed ChampDS
Active
Drupal.org security advisory coverage applications
Created 3 months ago

[1.0.x]Paragraph Locator
Active
Drupal.org security advisory coverage applications
Created about 1 year ago

Possible security issue for the voting route
Active
Like & Dislike 2.0
Created 5 months ago

Do not use the .php extension in mtime protected storage to work around bogus PHP extensions
Needs work
Drupal core 10.1 — base system
Created about 5 years ago

Should "iFrame domain" also set "X-Frame-Options" header
Active
Drupal core 11.0 — media system
Created almost 6 years ago

GET forms MUST NOT have CSRF tokens
Needs work
Drupal core 11.0 — forms system
Created almost 10 years ago

[1.0.x] Domain Access Webform
Active
Drupal.org security advisory coverage applications
Created about 1 year ago

User email should not be case sensitive
Postponed
Drupal core 10.1 — user.module
Created about 10 years ago

Create a global "kill switch" for Package Manager
Needs review
Automatic Updates 3.0
Created over 3 years ago

Security review for 8.x-1.0
Active
Resource Hints 1.0
Created over 8 years ago

Dots in query parameter names converted to underscores
Needs work
Drupal core 9.5 — menu system
Created about 7 years ago

Allow to change upload formats for managed_file
Needs work
Menu Link Attributes 1.0
Created about 2 years ago

Consider using phpstorage for update module
Closed: outdated
Drupal core 11.0 — update.module
Created about 9 years ago

User must be logged-in to use the cancel account link that is emailed
Needs work
Drupal core 11.0 — user.module
Created over 8 years ago

Allow the use of symlinks within the files directory.
Needs work
Drupal core 11.0 — file system
Created over 14 years ago

Password reset form error makes no sense when the account is locked
Needs work
Drupal core 11.0 — user system
Created over 2 years ago

"Restrict images to this site" restricts images that, by definition, are on this site.
Needs work
Drupal core 11.0 — filter.module
Created almost 7 years ago

Avoid overwriting .htaccess changes during scaffolding > security problem
Needs work
Drupal core 11.0 — composer
Created over 5 years ago

[PP-1] Add security checking for Symfony Mailer transports
Postponed
Drupal core 11.0 — mail system
Created almost 2 years ago

Allow README.md to optionally render as the project page
Fixed
Drupal.org customizations 3.0
Created about 13 years ago

Stream wrappers don't decode url encoded URIs
Needs work
Drupal core 9.5 — file system
Created over 13 years ago

Apply for Drupal Security Advisory Coverage
Closed: duplicate
Advanced Link Attributes 2.5
Created about 2 years ago

Please opt into security advisory coverage
Closed: duplicate
Widen Collective 1.0
Created almost 8 years ago

text_summary() returns a plain string, even if passed a MarkupInterface object
Needs work
Drupal core 11.0 — text.module
Created about 6 years ago

Deprecate the "Full HTML" text format in Standard and Umami in favor of a "content editor HTML" for content editor roles
Active
Drupal core 11.0 — filter.module
Created over 5 years ago

Allow selection of which folder a file is to on the file/add form
Needs review
File Entity (fieldable files) 2.0
Created about 12 years ago

Add YAML support to serialization module
Needs work
Drupal core 10.1 — serialization.module
Created over 12 years ago

make x-frame-options configurable
Postponed
Drupal core 10.1 — request processing system
Created over 9 years ago

The XSS filter should allow more HTML entities
Needs work
Drupal core 10.1 — base system
Created almost 6 years ago

MapItem unserialize function in setValue method should allow TranslatableMarkup class
Needs work
Drupal core 10.1 — field system
Created over 6 years ago

Xss::filter() does not handle HTML tags inside attribute values
Closed: duplicate
Drupal core 10.1 — filter.module
Created almost 4 years ago

Drupal 10 compatibility
Fixed
jQuery UI 1.0
Created over 3 years ago

htmlspecialchars() expects parameter 1 to be string, array given
Needs work
Drupal core 9.5 — markup
Created about 6 years ago