Note: this is only affecting the 1.2.x-dev branch that is currently not stable. I have been in contact with the security team, and this does not and should not have a security review attached to it. We still want to be transparent with it, so that's why the issue is openly communicated. An 1.2.0-rc2 will be released after this is merged. Since it only affects data and areas that are controlled by the admin, its a rather minor security issue.
When you add a AI Prompt and add html to it, this renders in the AI Prompt Element. This means that malicious <script> tags can be used for instance to run code on the page.
See example of adding the tag:
→
See example of it triggering:
→
This is due to unescaped HTML happening when rendering the form element.
Thanks to user tcrawford → for finding this issue.
Use Drupals Html::escape to escape the html.
1.2
AI Core module
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.