Contrib.social

Menu link attributes no longer stored in menu_tree since SA-CORE-2025-004 patch

Open on Drupal.org β†’
Created on 20 May 2025, 2 months ago

Problem/Motivation

For menu links created after upgrading to specific versions of Drupal core, any custom menu link attributes are no longer included in the link data produced by loading a menu link tree. The attributes get sanitized when saving the menu tree.

This issue is present since Drupal core versions introduced a patch for SA-CORE-2025-004 which sanitizes the attributes to fix a XSS vulnerability in the core Link class.

The issue is caused by \Drupal\menu_link_content\Entity\MenuLinkContent::postSave calling $this->getPluginDefinition(); which calls $this->getUrlObject() which calls AttributeXss::sanitizeAttributes().

Affected Drupal core versions (all versions with the aforementioned patch):
>= 10.3.14
>= 10.4.5
>= 11.0.13
>= 11.1.5
>= 11.2.0-alpha1

Steps to reproduce

See issue in menu_link_attributes πŸ› Not compatible with latest Drupal core Active .

πŸ› Bug report
Status

Active

Version

10.3 ✨

Component

menu_link_content.module

Created by

marttir

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @marttir
  • Comment 2 months ago β†’
    marttir
  • Comment 2 months ago β†’
    πŸ‡¦πŸ‡ΊAustralia larowlan πŸ‡¦πŸ‡ΊπŸ.au GMT+10

    Any chance these attributes contain underscores ?

  • Comment about 2 months ago β†’
    πŸ‡«πŸ‡·France tostinni

    Yes indeed, here is an example that we have where classes are lost:

    attributes:
  class:
    label: 'Link class(es)'
    description: 'CSS class for the link (<a href>). Separate multiple classes by space.'
  target:
    label: 'Link target'
    description: ''
    options:
      _blank: 'New window (_blank)'
      _self: 'Same window (_self)'
  class_li:
    label: ' class item'
    description: ''
  data-toggle:
    label: data-toggle
  data-target:
    label: data-toggle
  container_class:
    label: 'Container class(es)'
    description: 'CSS class for the menu list item (<li>). Separate multiple classes by space.'

    What is the recommended fix here ? Convert underscores to dashes ?

  • Comment about 2 months ago β†’
    πŸ‡¦πŸ‡ΊAustralia larowlan πŸ‡¦πŸ‡ΊπŸ.au GMT+10

    Yeah that's what I did and it fixed my issue. Core's XSS filtering strips out attributes with an underscore already. We could probably repurpose this issue to review if that is still valid in a world of HTML5 - it was added to core when everything was XHTML. Underscores weren't appropriate in XHTML but are in HTML5.

  • Comment 23 days ago β†’
    πŸ‡¦πŸ‡ΊAustralia larowlan πŸ‡¦πŸ‡ΊπŸ.au GMT+10

    I think we should probably close this as duplicate of πŸ“Œ Refactor \Drupal\link\AttributeXss from SA-CORE-2025-004 Active

  • Comment 23 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States xjm

    @larowlan I'm not sure about marking it duplicate; the issue summary describes a data integrity problem. We would ideally want to backport a fix for that to the production and even security-supported branches, potentially, rather than waiting on the minor-only refactoring of the API.

  • Comment 23 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States xjm

    @larowlan pointed out that menu_tree is just an index table, which I knew but second-guessed. So the data integrity issue is a recoverable one; we just need to trigger a routing rebuild to clean it up once the underlying underscores-versus-hyphens corrections are corrected for implmentations.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024