Contrib.social

is_safe not declared correctly on sortbyweight Twig filter

Open on Drupal.org →
Created on 22 August 2023, over 1 year ago
Updated 27 April 2024, 7 months ago

Problem/Motivation

In SortByWeight, it should be :

new TwigFilter('sortbyweight', [$this, 'performSort'], ['is_safe' => ['html']]),

However I don't think it would be a good idea to fix this, because it would allow for a potential XSS vulnerability.
When passing a string to the sortbyweight Twig filter, it returns it unchanged but with is_safe, it would also mark the string as safe and disable Twig auto escaping.

Steps to reproduce

{% set html = '<b>foo</b>' %}
{# If is_safe was correctly enabled, it would return the HTML unescaped. #}
{{ html|sortbyweight }}

Proposed resolution

Since the filter usually returns an array, I don't think it needs to use is_safe.

🐛 Bug report
Status

Fixed

Version

1.0

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024