Refactor \Drupal\link\AttributeXss from SA-CORE-2025-004

Created on 24 March 2025, 3 months ago

Problem/Motivation

https://www.drupal.org/sa-core-2025-004 → added some XSS filtering code to the link module which ideally would live in core itself.

The aim is not to introduce new APIs or make BC breaking changes in Security Advisories, but now the SA has been released the code can be refactored in a public issue.

Steps to reproduce

Code in question: https://git.drupalcode.org/project/drupal/-/commit/b112cf535a8edd5a981c2...

Proposed resolution

Per the comments in \Drupal\link\AttributeXss:

/**
 * Defines a class for attribute XSS filtering.
 *
 * @internal This class was added for a security fix and will be folded into
 *   the \Drupal\Component\Utility\Xss class in a public issue.
 */
final class AttributeXss {

Remaining tasks

tbc

User interface changes

tbc

Introduced terminology

tbc

API changes

tbc

Data model changes

tbc

Release notes snippet

tbc

📌 Task

Status

Active

Version

11.0 🔥

Component

link.module

Created by

🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @mcdruid
Comment 3 days ago →
🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10
In addition we should try to resolve 🐛 Menu link attributes no longer stored in menu_tree since SA-CORE-2025-004 patch Active - we need to make XSS::attributes support HTML5 instead of XHTML.
The former allows underscores in attributes, the later does not.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024