Risky to output any HTML by default?

Created on 15 August 2023, 11 months ago

Problem/Motivation

If you provide no allowed tags, just any html will be output, even script-Tag for example. Isn't this a bit of a risky default setting? Wouldn't it be better to use the default allowed_tags (https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Core%21Field%21F...) as default setting? That would be just using the "#markup" key without "#allowed_tags" key I suppose.

And maybe introduce an extra formater option to output any HTML (with a warning) using the "#children" key only in this case.

Steps to reproduce

Use HTML field formatter with no allowed tags set and insert for example
<script>alert('Hello')</script>
in your field. The js alert will occur.

Proposed resolution

use "#markup" key instead of "#children" key, maybe extra option for "#children" key.

Remaining tasks

💬 Support request

Status

Active

Version

2.0

Component

Code

Created by

🇩🇪Germany stefan.korn Jossgrund

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @stefan.korn

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024