Lots of things were fixed during the hackathon…
• 4 critical security issues (in D6/7 *and* 8!)
• 8 blockers to Safe Markup criticals
• 2 upgrade path criticals
• 1 Entity API critical
Markup in Drupal 7<script>alert('Mwahahaha!')</script>
<script>alert("Mwahahaha!")</script>
https://www.drupal.org/writing-secure-code
check_plain()/check_markup() filter_xss()/filter_xss_admin()
t() + @ or %
Markup in Drupal 8<script>alert('Mwahahaha!')</script>
<script>alert("Mwahahaha!")</script>
"Twig autoescape enabled" change record
Instances of SafeMarkup::set()
[meta] Remove every SafeMarkup::set() call
This week! =>
Sordid tale…• Beta 12 (June 29) we started requiring
upgrade paths in core patches.
• Beta 13 (July 29) we attempted to provide an upgrade path to site builders from Beta 12
• People tested it, found out stuff broke (silent fails on content updates)
• Now fixing those issues, and adding better automated tests to mitigate future regressions.
• Drupal 6/7: more secure for our customers today
• Drupal 8: more secure for our customers tomorrow (including plugging #1 security hole)
• Drupal 8 beta-to-beta upgrade path two issues away from being unblocked
• Major milestone for customers waiting to make the leap into Drupal 8
• Less Cloud Team angst!
Hackathon Accomplishments, in short…
Top Related