I create a file field and tick 'Enable Description field'.
When uploading a file, I override the displayed filename by entering a Description with html like characters. e.g. '< h1 >best file.docx'.
Then on the website if using generic file formatter, the html is literally displayed.
The < script > tags are stripped so not a security risk.
This caused by #desciption key being used in other area's, e.g. help text where you want some html.
@see core\lib\Drupal\Core\Render\Renderer.php - line 403
// Check the elements for insecure HTML and pass through sanitization.
if (isset($elements)) {
$markup_keys = [
'#description',
'#field_prefix',
'#field_suffix',
];
foreach ($markup_keys as $key) {
if (!empty($elements[$key]) && is_scalar($elements[$key])) {
$elements[$key] = $this->xssFilterAdminIfUnsafe($elements[$key]);
}
}
}
Needs work
11.0 🔥
file system
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
This seems a valid issue.
I am able to reproduce the issue.
I believe since description field is widely used, we can't make additional changes apart from tweaking field formatters and using inline_template to render the description of file description field.