Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2019-030

Project: FacetsVersion: 8.x-1.x-devDate: 2019-February-27Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingDescription: This module enables you to create facet-filters for results of a search query and exposes them as blocks
The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by two factors. First, an attacker must have a way to insert results in the dataset that is exposed as a facet before this can happen. The permission to inject malicious strings depends on the site's search configuration but could be available to any user who can create content in a site. Second, the site must be using the Javascript-based dropdown widget.Solution: 

An effective mitigation is to change the widget to use links instead of the dropdown widget.Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2019-030