Message partials are filtered without text format.

Created on 8 July 2025, 2 months ago

Problem/Motivation

All message partials are rendered as "processed text" with text format, here \Drupal\message\Entity\MessageTemplate::getText. The processed text and rendering process already handle removing unallowed tags, attributes, etc. But \Drupal\message\MessageViewBuilder::view wraps partials as plain string markup. Because of that, partials go through another XSS filter, which ignores the configured text format, since it doesn't know about it, potentially removing allowed tags/attributes.

Steps to reproduce

Create text format that allows tag/attribute (e.x. style attribute) that normally is removed by \Drupal\Core\Render\Renderer::ensureMarkupIsSafe
Configure message template with that text format
Tags/Attributes are removed even though they are allowed by text format

Proposed resolution

Wrap the partials in ViewBuilder in the \Drupal\filter\Render\FilteredMarkup class.
The processed text element does the same, so we can consider that the template is safe. Reference: \Drupal\filter\Element\ProcessedText::preRenderText

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Active

Version

1.0

Component

Code

Created by

reinfate

Live updates comments and jobs are added and updated live.

Merge Requests

!57Message partials are filtered without text format.
Open
reinfate
updated 2 months ago

Comments & Activities

Issue created by @reinfate
Merge request !57Issue #3534628: Message partials are filtered without text format → (Open) created by reinfate
Pipeline finished with Failed
2 months ago
Total: 348s
#541621
Pipeline finished with Success
2 months ago
Total: 231s
#541631
Comment 2 months ago →
reinfate

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024