- Issue created by @keszthelyi
When enabling the formatter on a formatted text field that uses Plain text format (with the 'Display any HTML as plain text' filter enabled), HTML that is entered to the field is not escaped as expected, there is actual HTML in the output.
Tested on Drupal 10.2.5
1. Create a content type and add a Text (formatted long) field
2. Enable the Readmore formatter for the field in Manage display
3. Using the 'Plain text' format, enter some HTML tags in the field and save the content
4. View the content: the HTML tags are not escaped
The reason behind this behavior is that the formatter is currently using the unprocessed field value for the formatting, and outputs that as result. There is already an issue 🐛 Text formats are not applied Needs review with an MR that addresses this problem, but the issue was created for supporting HTML formatting and is not mentioning the security implications. This issue could be considered as duplicate, but it's reporting a different problem than the original.
Active
2.0
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.