On a required field with CKEditor, the title attribute of iframe.cke_wysiwyg_frame can contain HTML code, for example:
title='Rich Text Editor, My Label<span aria-hidden="true" class="hidden"> (required)</span> field'
This appear to be caused by this part of ckeditor.es6.js, which sets the title attribute to the label without filtering out the markup:
// Set a title on the CKEditor instance that includes the text field's
// label so that screen readers say something that is understandable
// for end users.
const label = $(`label[for=${element.getAttribute('id')}]`).html();
format.editorSettings.title = Drupal.t('Rich Text Editor, !label field', {
'!label': label,
});
This problem appears to have been introduced in #2292035: CKEditor uses the automatically generated ID attribute for the body field in the ARIA label → .
Active
1.0
ckeditor.module
It affects the ability of people with disabilities or special needs (such as blindness or color-blindness) to use Drupal.
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Affects the content, performance, or handling of Javascript.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
So is this an upstream issue Wim? It might pose bigger problems if CKEditor is available to non-trusted users.
Hmm.. Looks like I might be responsible for this as it looks like I rolled the last patch on that issue. Not sure quite how, but..
This is not a Drupal core issue anymore now 😅