Hi!
The patch at #33 didn't work for me because my installation 4.0.0 is a submodule of lightning_workflow and has slightly different code. I rerolled it for 4.0.0 as a submodule.
neptune-dc β created an issue.
That is what we think. We think it is related to core aggregation on Drupal 10 and are looking for solutions outside of this module. It does seem to be a duplicated for that one, but at least mine has a solution =P
neptune-dc β created an issue.
I needed this patch for my site, so I compiled NicholasS's changes here. In an ideal world, his changes wouldn't take more than two months to merge.
This patch worked for me with the latest version of the module on Drupal 10.
Thanks a lot.
Do you think your code is related to this change in drupal 9? https://www.drupal.org/project/drupal/issues/2297711 β
If you think that |raw is unsafe in this situation, then you already have a vulnerability. In the very same twig, you call the following line:
<article id="{{ id }}" {{attributes.addClass(classes)}}>
The output of attributes.addClass(classes) is marked as safe by twig and returns all attributes without escapes. Because the attributes I have marked as |raw are also inside that, I am not adding an additional vulnerability with this change.
At the moment in your current implementation, your data attributes are not escaped, yet your user-visible tags are escaped.
neptuneDG β created an issue.
neptuneDG β created an issue.