Typogrify - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-002
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site Scripting
Affected versions: <1.3.0
The Typogrify module brings the typographic refinements of Typogrify to Drupal. It provides a text filter and a Twig filter.
The typogrify Twig filter can be used to bypass the Twig auto-escape feature, leading to a persistent Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that it is only exposed when the twig filter is specifically used in a template to render content.
Install the latest version:
If you use the Typogrify module for Drupal 10.x, upgrade to Typogrify 8.x-1.3
If you use the typogrify Twig filter provided by this module, then this update may cause double-encoding of text. See the updated README for best practices.