Render array file_link render's user entered text #description is not escaped

Created on 16 June 2022, about 3 years ago
Updated 16 June 2025, about 2 months ago

Problem/Motivation

I create a file field and tick 'Enable Description field'.

When uploading a file, I override the displayed filename by entering a Description with html like characters. e.g. '< h1 >best file.docx'.

Then on the website if using generic file formatter, the html is literally displayed.

The < script > tags are stripped so not a security risk.

This caused by #desciption key being used in other area's, e.g. help text where you want some html.

@see core\lib\Drupal\Core\Render\Renderer.php - line 403

// Check the elements for insecure HTML and pass through sanitization.
if (isset($elements)) {
  $markup_keys = [
    '#description',
    '#field_prefix',
    '#field_suffix',
  ];
  foreach ($markup_keys as $key) {
    if (!empty($elements[$key]) && is_scalar($elements[$key])) {
      $elements[$key] = $this->xssFilterAdminIfUnsafe($elements[$key]);
    }
  }
}

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report
Status

Needs work

Version

11.0 🔥

Component

file system

Created by

🇦🇺Australia silverham

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024