From 695037059cb4ac664089c26698fcfd600f6f3219 Mon Sep 17 00:00:00 2001
From: xjm <xjm@65776.no-reply.drupal.org>
Date: Wed, 15 Apr 2026 20:12:57 +0300
Subject: [PATCH] SA-CORE-2026-001 by murat_kekic, akalata, benjifisher, drumm,
 larowlan, mlhess, neclimdul, pandaski, poker10, ram4nd, xjm, prufloff,
 greggles

---
 core/lib/Drupal/Core/Ajax/OpenDialogCommand.php | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/core/lib/Drupal/Core/Ajax/OpenDialogCommand.php b/core/lib/Drupal/Core/Ajax/OpenDialogCommand.php
index ec86a5ba0bb7..f6b652e60cab 100644
--- a/core/lib/Drupal/Core/Ajax/OpenDialogCommand.php
+++ b/core/lib/Drupal/Core/Ajax/OpenDialogCommand.php
@@ -3,6 +3,7 @@
 namespace Drupal\Core\Ajax;
 
 use Drupal\Component\Render\PlainTextOutput;
+use Drupal\Component\Utility\Xss;
 
 /**
  * Defines an AJAX command to open certain content in a dialog.
@@ -141,6 +142,20 @@ public function setDialogTitle($title) {
   public function render() {
     // For consistency ensure the modal option is set to TRUE or FALSE.
     $this->dialogOptions['modal'] = isset($this->dialogOptions['modal']) && $this->dialogOptions['modal'];
+
+    if (!empty($this->dialogOptions['buttons'])) {
+      foreach ($this->dialogOptions['buttons'] as &$button) {
+        // Only allow specific attributes to be defined for a button.
+        $button = \array_intersect_key($button, \array_flip(['disabled', 'icons', 'label', 'text']));
+        foreach ($button as &$value) {
+          if (is_string($value)) {
+            // Apply Xss::filter to button attribute values.
+            $value = Xss::filter($value);
+          }
+        }
+      }
+    }
+
     return [
       'command' => 'openDialog',
       'selector' => $this->selector,
-- 
GitLab