- Issue created by @marttir
- π¦πΊAustralia larowlan π¦πΊπ.au GMT+10
Any chance these attributes contain underscores ?
- π«π·France tostinni
Yes indeed, here is an example that we have where classes are lost:
attributes: class: label: 'Link class(es)' description: 'CSS class for the link (<a href>). Separate multiple classes by space.' target: label: 'Link target' description: '' options: _blank: 'New window (_blank)' _self: 'Same window (_self)' class_li: label: ' class item' description: '' data-toggle: label: data-toggle data-target: label: data-toggle container_class: label: 'Container class(es)' description: 'CSS class for the menu list item (<li>). Separate multiple classes by space.'
What is the recommended fix here ? Convert underscores to dashes ?
- π¦πΊAustralia larowlan π¦πΊπ.au GMT+10
Yeah that's what I did and it fixed my issue. Core's XSS filtering strips out attributes with an underscore already. We could probably repurpose this issue to review if that is still valid in a world of HTML5 - it was added to core when everything was XHTML. Underscores weren't appropriate in XHTML but are in HTML5.
- π¦πΊAustralia larowlan π¦πΊπ.au GMT+10
I think we should probably close this as duplicate of π Refactor \Drupal\link\AttributeXss from SA-CORE-2025-004 Active
- πΊπΈUnited States xjm
@larowlan I'm not sure about marking it duplicate; the issue summary describes a data integrity problem. We would ideally want to backport a fix for that to the production and even security-supported branches, potentially, rather than waiting on the minor-only refactoring of the API.
- πΊπΈUnited States xjm
@larowlan pointed out that
menu_tree
is just an index table, which I knew but second-guessed. So the data integrity issue is a recoverable one; we just need to trigger a routing rebuild to clean it up once the underlying underscores-versus-hyphens corrections are corrected for implmentations.