Menu link attributes no longer stored in menu_tree since SA-CORE-2025-004 patch

Created on 20 May 2025, about 1 month ago

Problem/Motivation

For menu links created after upgrading to specific versions of Drupal core, any custom menu link attributes are no longer included in the link data produced by loading a menu link tree. The attributes get sanitized when saving the menu tree.

This issue is present since Drupal core versions introduced a patch for SA-CORE-2025-004 which sanitizes the attributes to fix a XSS vulnerability in the core Link class.

The issue is caused by \Drupal\menu_link_content\Entity\MenuLinkContent::postSave calling $this->getPluginDefinition(); which calls $this->getUrlObject() which calls AttributeXss::sanitizeAttributes().

Affected Drupal core versions (all versions with the aforementioned patch):
>= 10.3.14
>= 10.4.5
>= 11.0.13
>= 11.1.5
>= 11.2.0-alpha1

Steps to reproduce

See issue in menu_link_attributes πŸ› Not compatible with latest Drupal core Active .

πŸ› Bug report
Status

Active

Version

10.3 ✨

Component

menu_link_content.module

Created by

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @marttir
  • πŸ‡¦πŸ‡ΊAustralia larowlan πŸ‡¦πŸ‡ΊπŸ.au GMT+10

    Any chance these attributes contain underscores ?

  • πŸ‡«πŸ‡·France tostinni

    Yes indeed, here is an example that we have where classes are lost:

    attributes:
      class:
        label: 'Link class(es)'
        description: 'CSS class for the link (<a href>). Separate multiple classes by space.'
      target:
        label: 'Link target'
        description: ''
        options:
          _blank: 'New window (_blank)'
          _self: 'Same window (_self)'
      class_li:
        label: ' class item'
        description: ''
      data-toggle:
        label: data-toggle
      data-target:
        label: data-toggle
      container_class:
        label: 'Container class(es)'
        description: 'CSS class for the menu list item (<li>). Separate multiple classes by space.'
    

    What is the recommended fix here ? Convert underscores to dashes ?

  • πŸ‡¦πŸ‡ΊAustralia larowlan πŸ‡¦πŸ‡ΊπŸ.au GMT+10

    Yeah that's what I did and it fixed my issue. Core's XSS filtering strips out attributes with an underscore already. We could probably repurpose this issue to review if that is still valid in a world of HTML5 - it was added to core when everything was XHTML. Underscores weren't appropriate in XHTML but are in HTML5.

Production build 0.71.5 2024