- Issue created by @mjgruta
- Merge request !63Issue #3272853 by RenatoG: Implement a validation to remove the spaces on... → (Open) created by Unnamed author
- 🇮🇳India kulpratap2002
Replaced
Html::cleanCssIdentifier()withHtml::escape()to prevent numeric data-* attribute values from being prefixed with underscores.Please review.
- 🇮🇳India kulpratap2002
Previously code uses:
$attribute_value = Html::cleanCssIdentifier($attribute_value);This method is designed to sanitize CSS identifiers (e.g., class names, IDs).
It ensures they are valid by replacing leading numbers and stripping disallowed characters. However, this is too strict when applied toHTML attribute values (such as `data)', because:
Valid `data-` attribute values may begin with digits (e.g., `550`).
Sanitization with
cleanCssIdentifier()incorrectly rewrites these values (`550 → _550`).$attribute_value = Html::escape($attribute_value);-
Context-appropriate sanitization:
- `Html::escape()` encodes special HTML characters (`<`, `>`, `"`, `'`, `&`).
- This prevents injection into the DOM or breaking out of the attribute context.
- Preserves valid values:
- Digits, letters, and safe symbols remain unchanged (`550` stays `550`).
- Mitigates XSS:
- Any attempt to inject markup like `">
...` will be safely escaped:
- `"><script>...</script>`
-
Security Conclusion
- `Html::cleanCssIdentifier()` is only necessary when generating CSS identifiers.
- For attribute values in HTML, `Html::escape()` provides the correct level of protection against XSS.
- Therefore, this change maintains security while restoring correct behavior for numeric and other valid attribute values.
- 🇮🇳India rakesh.regar Rajasthan, India
I have done the testing for this MR and changes are working as expected.