Contrib.social

PlainTextOutput::renderFromHtml may render potentially dangerous output

Open on Drupal.org →
Created on 23 July 2017, almost 8 years ago
Updated 2 June 2025, 5 days ago

Despite its name and description PlainTextOutput::renderFromHtml() does not guarantee the output to be plain text.

\Drupal\Component\Render\PlainTextOutput::renderFromHtml('<script>alert("XSS")</script>');
The above code returns <script>alert(XSS)</script>.

We may need rename the class or at least warn users about possible security implications of it.

🐛 Bug report
Status

Active

Version

11.0 🔥

Component

render system

Created by

🇷🇺Russia Chi

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 5 days ago
    🇫🇷France prudloff Lille

    I think there could be a valid concern here.
    The description of the class does state that this should not be used in HTML contexts but the name of the method could imply that it could be used to transform HTML into harmless plain text.
    I have seen this method misused in custom code.
    I also would not be surprised if a Google search like "drupal convert HTML to plaintext" points users to this method.

    Maybe the description of the method could make it clearer that it is dangerous in HTML contexts?

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024