Not compatible with latest Drupal core

Created on 16 May 2025, about 2 months ago

Problem/Motivation

For menu links created after upgrading to specific versions of Drupal core, any custom menu link attributes are no longer included in the link data produced by loading a menu link tree.

This issue is present since Drupal core versions introduced a patch for SA-CORE-2025-004 which sanitizes the attributes to fix a XSS vulnerability in the core Link class.

Affected Drupal core versions (all versions with the aforementioned patch):
>= 10.3.14
>= 10.4.5
>= 11.0.13
>= 11.1.5
>= 11.2.0-alpha1

Steps to reproduce

- Install core 10.3.14
- Create new menu link, use custom attributes on it
- Dump the link data somewhere along the build/render pipeline
- Observe that the newly created menu link will not have the expected custom attributes under the options key

- Downgrade to core 10.3.13
- Observe that the newly created menu link is still broken and cache-clear does not fix it, i.e.
- Re-save the link
- Observe that the link data now contains the custom attributes
- Install core 10.3.14 again
- Observe that the link data still contains the custom attributes, but any new links will again have it missing due to the sanitization applied by core

Proposed resolution

None. Fixing this properly may require changes in core that also concern other modules and core security.

🐛 Bug report
Status

Active

Version

1.5

Component

Code

Created by

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024