Upgrade Your Drupal Skills
We trained 1,000+ Drupal Developers over the last decade.
See Advanced Courses NAH, I know EnoughDrupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007
Install the latest version:
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.
If you were previously relying on Drupal's AJAX API to perform trusted JSONP requests, you'll either need to override the AJAX options to set "jsonp: true"
, or you'll need to use the jQuery AJAX API directly.
If you are using jQuery's AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set "jsonp: false"
where this is appropriate.
Updates
Drupal 7 sites should also pass such URLs through the new Drupal.sanitizeAjaxUrl()
function.
The update to Drupal 7 is likely to cause a regression in AJAX functionality on sites which use jQuery 1.5 (for example via the jQuery Update module). This issue seems to specifically affect jQuery 1.5; the version included in Drupal 7 core (1.4.4) and versions 1.6 and later do not suffer from the regression.
About Drupal Sun
Drupal Sun is an Evolving Web project. It allows you to:
- Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
- Facet based on tags, author, or feed
- Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
- View the entire article text inline, or in the context of the site where it was created
See the blog post at Evolving Web