Fix Potential XSS in HTML Markup

Created on 22 May 2025, 2 months ago

Problem/Motivation

In _acquia_optimize_footer method: https://git.drupalcode.org/project/acquia_optimize/-/blob/1.x/acquia_opt...
There's a scope of potential XSS which we can avoid.

Steps to reproduce

Proposed resolution

Convert string to Render array

Something like this:

/ Replace HTML string construction with render array
$footer = [
  '#type' => 'container',
  '#attributes' => ['class' => ['optimize-footer']],
  'info' => [
    '#type' => 'html_tag',
    '#tag' => 'p',
    '#attributes' => ['class' => ['scan-info']],
    '#markup' => t('Results are not synchronized to your Acquia Optimize account. To learn more visit'),
  ],
  'link' => [
    '#type' => 'link',
    '#title' => t('Acquia Docs.'),
    '#url' => Url::fromUri('https://docs.acquia.com/acquia-optimize/how-do-scan/quick-scan#section-faq'),
    '#attributes' => ['target' => '_blank'],
  ],
  'account_button' => [
    '#type' => 'link',
    '#title' => t('Go to your Optimize account'),
    '#url' => Url::fromUri('https://new.monsido.com'),
    '#attributes' => [
      'target' => '_blank',
      'class' => ['optimize-account-button'],
    ],
  ],
];

// Use the render array instead of the HTML string
$form['footer'] = $footer;

📌 Task

Status

Active

Version

1.1

Component

Code

Created by

🇮🇳India ankitv18

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @ankitv18
Comment 13 days ago →
🇮🇳India ankitv18
Comment 13 days ago →
🇬🇧United Kingdom longwave UK
As with the SSRF issue that was opened, if there is a potential security issue this should be reported to the security team in private - this should not be discussed in public.
Comment 13 days ago →
🇮🇳India ankitv18
Closing this

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024