- Issue created by @bradjones1
LayoutSectionItem stores the section as a serialized PHP object. This depends on SqlContentEntityStorage not specifying a restriction on classes to instantiate in \unserialize().
This is not a security issue at the moment because this property does not directly contain user-generated data, but we are trying to avoid these kinds of calls in π Move from serialized columns to JSON encoded data wherever possible, or use allowed_classes Active . In addition, this is tightly coupled to π [PP-1] Expose Layout Builder data to REST and JSON:API Postponed , which does introduce some security concerns around data input over the API.
The section property should store the required serialized data to re-create the section object in a simple PHP array or a JSON object, instead. See π Allow field types to control how properties are mapped to and from storage Needs work .
I am hoping that we can identify the need for this to change (there would be a migration path for existing data) without needing to actually change this code in the course of deprecating PHP object storage.
Use JSON or PHP array storage of the serialized section properties, instead.
Active
11.0 π₯
layout_builder.module