Contrib.social

Risky to output any HTML by default?

Open on Drupal.org →
Created on 15 August 2023, over 1 year ago

Problem/Motivation

If you provide no allowed tags, just any html will be output, even script-Tag for example. Isn't this a bit of a risky default setting? Wouldn't it be better to use the default allowed_tags (https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Core%21Field%21F...) as default setting? That would be just using the "#markup" key without "#allowed_tags" key I suppose.

And maybe introduce an extra formater option to output any HTML (with a warning) using the "#children" key only in this case.

Steps to reproduce

Use HTML field formatter with no allowed tags set and insert for example
<script>alert('Hello')</script>
in your field. The js alert will occur.

Proposed resolution

use "#markup" key instead of "#children" key, maybe extra option for "#children" key.

Remaining tasks

💬 Support request
Status

Active

Version

2.0

Component

Code

Created by

🇩🇪Germany stefan.korn Jossgrund

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024