Contrib.social

Project application for Security Advisory coverage

Open on Drupal.org โ†’
Created on 3 June 2025, 5 months ago

I am requesting Security Advisory coverage for the Node Alias Link Display module. โ†’ The project adheres to Drupal's coding standards, avoids known insecure practices, and is maintained transparently via the Drupal.org infrastructure.

Node Alias Link Display [D10, D11] โ†’

This Drupal module provides a custom field formatter to display node links using their URL alias (e.g., /my-title) instead of the canonical path (e.g., /node/123). This is particularly beneficial for improving SEO and offering clean, user-friendly URLs in site content. The module enhances link presentation by leveraging Drupalโ€™s path alias system without altering the underlying routing logic.

To clone the repository as a non-maintainer, use the following Git command:

git clone --branch 1.x https://git.drupalcode.org/project/node_alias_link_display.git

๐Ÿ“Œ Task
Status

Active

Component

module

Created by

๐Ÿ‡ซ๐Ÿ‡ทFrance iheb.attia

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @iheb.attia
  • Comment 5 months ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia vishal.kadam Mumbai
  • Comment 5 months ago โ†’
    ๐Ÿ‡ซ๐Ÿ‡ทFrance berramou

    I did a quick review, I didn't find any serious security issue but still need to sanitize alias and original parts before replacing, and maybe add $node->access() to check node access.
    Something like:

    if (is_numeric($nid)) {
  $node = $this->entityTypeManager->getStorage('node')->load($nid);
  if ($node instanceof Node && $node->access()) {
    $language = $this->languageManager->getLanguage($langcode);
    $node_url = $node->toUrl('canonical', ['language' => $language]);
    $alias = $node_url->toString();

    if ($alias !== "/node/$nid") {
      // Sanitize alias and original parts before replacing
      $safe_original = Xss::filter($original);
      $safe_alias = Html::escape($alias);
      $safe_url = Html::escape($url);

      return str_replace($safe_url, $safe_alias, $safe_original);
    }
  }
}
return Html::escape($original);
  • Comment 5 months ago โ†’
    ๐Ÿ‡ซ๐Ÿ‡ทFrance berramou
  • Comment 5 months ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia vishal.kadam Mumbai
  • Comment 5 months ago โ†’
    ๐Ÿ‡ซ๐Ÿ‡ทFrance iheb.attia

    berramou #3 ๐Ÿ“Œ Project application for Security Advisory coverage Active
    At this stage of the process, the alias and original strings are already sanitized. The plugin filter is executed after the node is built and its access is checked, so we can be confident that the node access logic has already been enforced upstream.

    Also, note that the final output is passed through Xss::filter() after rendering, which strips any remaining HTML tags. So even if the alias or original contained HTML at some point, it will be removed before display, ensuring XSS protection.

    Let me know if you still have concerns, but from what I see, the current flow already handles both access control and sanitization appropriately

  • Comment 5 months ago โ†’
    ๐Ÿ‡ซ๐Ÿ‡ทFrance berramou

    Thank you @iheb.attia for your contribution and explications.
    It's clear, since there is no other security issue, i will move this to fixed!

  • Comment 5 months ago โ†’
    ๐Ÿ‡ซ๐Ÿ‡ทFrance berramou
  • Comment 5 months ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡นItaly apaderno Brescia, ๐Ÿ‡ฎ๐Ÿ‡น

    These issues are fixed only when the applicant get the role that allows to opt projects into security advisory coverage. That can only be done by project moderators.

  • Comment 3 months ago โ†’
    ๐Ÿ‡ซ๐Ÿ‡ทFrance iheb.attia
  • Issue was unassigned.
  • Status changed to Needs review about 2 months ago
  • Comment about 2 months ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia rushiraval

    I am changing the issue priority as per issue priorities โ†’ .<

  • Comment about 2 months ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡นItaly apaderno Brescia, ๐Ÿ‡ฎ๐Ÿ‡น

    Actually, this project does not have enough Drupal code, differently from the other one. We should continue with the other application.

  • Comment about 2 months ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡นItaly apaderno Brescia, ๐Ÿ‡ฎ๐Ÿ‡น
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024