A long while back, security researcherĀ Sam Mortenson reported a cross-site scripting vulnerability in Drupal core's Link module. Essentially, the options property on link fields was not being properly sanitized. This meant cross-site scripting was possible under some circumstances -- and, as always for cross-site scripting, we were concerned that the XSS could be combined with other attacks and escalated to more serious exploits.
Funding contribution
Great news: After a three-month search, I'm now contracting with two sponsors who are funding a total of 60% of my time for Drupal core release management. Let me introduce you!
Hi, I'm xjm. I'm a Drupal core committer, one of eighteen people who are trusted to accept (merge) code changes to theĀ Drupal project for the hundreds of thousands of sites that rely on it.
My role on the committer team is that of a release manager. We're the folks who actually create the Drupal core releases that you can install on your site.
The most recent issue of Drupal Watchdog includes an article on software freedom and social change in Drupal. While this article raises a number of thoughtful questions about the social implications of the Drupal community's evolution, it includes some misinformation (both because it misrepresents the data that are easily available and because it lacks data that are not easily available). In the first part of this post, I look at the specific information presented in the article and provide some more depth, including some first-hand information about Acquia, since I work in Acquia's Office of the CTO. In the second part, I explore how we can mitigate some of the concerns the article raises.
