Document that filter_xss() must never be used in an attribute context

Created on 11 March 2015, about 10 years ago
Updated 26 March 2025, 12 days ago

See https://docs.acquia.com/articles/using-filter-functions-intended-filterx...

We need to document at https://www.drupal.org/writing-secure-code and/or https://www.drupal.org/node/28984 that people should use drupal_clean_css_identifier() or similar, otherwise they get XSS issues.

📌 Task
Status

Postponed: needs info

Component

Missing documentation

Created by

🇦🇹Austria klausi 🇦🇹 Vienna

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇳🇿New Zealand quietone

    The first link is a 404 so I can't check if this has been resolved.

    Anyone know if there is work to be done for this?

  • 🇺🇸United States greggles Denver, Colorado, USA

    Unfortunately web.archive.org doesn't have that page indexed :sob:

    I tried to rewrite the issue summary based on what I *think* that article said.

    My copy is probably close to what needs to be added to the pages, so...needs review?

  • 🇳🇿New Zealand quietone

    @greggles, thanks. Are you able to edit that page?

  • 🇮🇹Italy apaderno Brescia, 🇮🇹

    That is a page created from a documentation comment. Any change to that page requires changing a comment in Drupal core code.

  • 🇮🇹Italy apaderno Brescia, 🇮🇹

    I recall there was a page suggesting when Xss::filter() should be used. (Maybe that page still exists.)

    IMO, that should be better written in the documentation for a Drupal core method, in the same way the documentation for FormattableMarkup::placeholderFormat() shows wrong calls to that method.

  • 🇺🇸United States greggles Denver, Colorado, USA

    I fixed it on https://www.drupal.org/node/28984

    @avpaderno I think documenting in multiple places is fine, so you could open another issue for the change you're proposing.

Production build 0.71.5 2024