- Issue created by @Anybody
- 🇩🇪Germany Anybody Porta Westfalica
First we need to find out, if this happens on the Drupal side or in foundation or both.
- First commit to issue fork.
- last update
almost 2 years ago 3 pass - @grevil opened merge request.
- Status changed to Needs review
almost 2 years ago 7:51am 4 July 2023 - 🇩🇪Germany Grevil
We found the problem! The twig file implicitly escapes the title through the "striptags" method. Adding "raw" will prevent this, but under specific circumstances, this might be a tiny security issue.
- last update
almost 2 years ago 3 pass - 🇩🇪Germany Anybody Porta Westfalica
Did a little tweak and made some security tests, didn't find any way to break it anymore! Think it's also fine from the logical perspective, with the
|rendernow:
Please note, thatfield.contentis a markup object, so the |render ensures it's escaped as string and afterward, left tags are removed to not collide with the accordion.Let's merge this.
- Status changed to Fixed
almost 2 years ago 10:31am 4 July 2023 Automatically closed - issue fixed for 2 weeks with no activity.