This issue was discussed by the Drupal Security Team, and their decision was that this can be solved in a public issue.
While the current behavior of vertical tabs is "working as designed," there is room for hardening this feature to mitigate potential vulnerabilities in contributed modules or custom implementations. Specifically, scenarios where user-supplied text is injected unescaped into vertical tabs could lead to cross-site scripting (XSS) attacks. Although identifying these cases is non-trivial, we can proactively strengthen the feature to reduce such risks.
This workflow works as designed but could be exploited if contributed modules bypass sanitization.
Active
11.1 π₯
javascript
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.