FAPI checkboxes aren't automatically escaped like some other form elements. This can lead to XSS vulnerabilities in contrib modules which don't handle the escaping themselves. Following discussion in the security team we've decided that any contrib modules in 6 should be dealt with individually, and an approach along the lines of #242873: make drupal_set_title() use check_plain() by default. β in 7.x and 8.x would to make sense.
Closed: outdated
11.0 π₯
Last updated
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Enhances developer experience.
Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
The last comment states that "#options for radios and checkboxes is definitely XSS admin filtered and select #options are escaped in D8. And like the previous comment thinks this is a duplicate, although neither is sure which issue it is a duplicate of. After that there has been no activity here for 9 years. It is time to close this.
Since it is no clear what issue is the duplicate, I am closing as outdated.