- Issue created by @marttir
For menu links created after upgrading to specific versions of Drupal core, any custom menu link attributes are no longer included in the link data produced by loading a menu link tree.
This issue is present since Drupal core versions introduced a patch for SA-CORE-2025-004 which sanitizes the attributes to fix a XSS vulnerability in the core Link class.
Affected Drupal core versions (all versions with the aforementioned patch):
>= 10.3.14
>= 10.4.5
>= 11.0.13
>= 11.1.5
>= 11.2.0-alpha1
- Install core 10.3.14
- Create new menu link, use custom attributes on it
- Dump the link data somewhere along the build/render pipeline
- Observe that the newly created menu link will not have the expected custom attributes under the options key
- Downgrade to core 10.3.13
- Observe that the newly created menu link is still broken and cache-clear does not fix it, i.e.
- Re-save the link
- Observe that the link data now contains the custom attributes
- Install core 10.3.14 again
- Observe that the link data still contains the custom attributes, but any new links will again have it missing due to the sanitization applied by core
None. Fixing this properly may require changes in core that also concern other modules and core security.
Active
1.5
Code