- Issue created by @longwave
- First commit to issue fork.
- Merge request !7315Resolve #3426514 "Drupal.theme.progressBar() does not escape output correctly" → (Closed) created by magaki
- Status changed to Needs review
11 months ago 3:25am 4 April 2024 - 🇯🇵Japan magaki
I changed the assigned string in the progress bar id attribute to the escaped strings.
And, I checked the work using javascript similar to the steps to reproduce, no dialog appeared.The test fails, but it doesn't seem to be related to the changes.
https://git.drupalcode.org/issue/drupal-3426514/-/jobs/1233839#L778Please review it.
- Status changed to Needs work
11 months ago 1:57pm 4 April 2024 - 🇺🇸United States smustgrave
Based on the issue summary seems like something that a test can be written for.
Tagging for issue summary as the proposed solution appears to be empty
- Status changed to RTBC
11 months ago 5:38pm 4 April 2024 - 🇬🇧United Kingdom longwave UK
Given 🌱 [policy, no patch] Better scoping for bug fix test coverage RTBC I am not sure it is worth the effort of writing a test for this. The fix is trivial and constructing test coverage for it is going to be much more work. The security improvement is minimal - someone explicitly has to inject a weird ID for it to be exploitable - so I think we just fix this and move on, unless anyone disagrees?
- Status changed to Fixed
11 months ago 8:33pm 4 April 2024 Automatically closed - issue fixed for 2 weeks with no activity.