Problem/Motivation

Basic and composite elements are not rendered in the same way. If HTML markup is submitted to a Text Field, it's displayed as plain text. If HTML markup is submitted to a composite element, like Name, the HTML is rendered (<script> tags are still stripped, so this is not a XSS vulnerability). I noticed it specifically when a user a submitted an image in an image tag to a name field.

Steps to reproduce

  1. Start from a fresh Drupal 9.5 install
  2. Install the webform module (version 6.1.5)
  3. Create a webform
  4. Add a Text Field to the webform
  5. Add a Name Field to the webform (simplest case: only have first name visible, but it doesn't matter)
  6. Create a submission to the webform with the value <img src="https://dummyimage.com/100x100/000/fff"> entered for both the Text Field and the Name Field
  7. View the new submission and see that the image is rendered in the Name Field but displayed as plain text in the Text Field.

Proposed resolution

Attached is a patch file with my proposed solution. I replaced #markup with #plain_text to match how values are rendered for Basic Elements (line 1652 in WebformElementBase.php). This makes their behavior consistent and prevents users submitting images when they aren't expected to.

Remaining tasks

There may be functionality in compositive elements that rely on using #markup that I'm not aware of. For myself, none of the composite elements: Address, Contact, Custom, Link, Location, Name, Telephone advanced were used with the expectation of HTML, so it works well enough.

CommentFileSizeAuthor
#8 After-patch.png45.87 KBkasliwal_harshit
#8 Before-patch.png39.58 KBkasliwal_harshit
#6 webform.webform.issue_3369135.yml5.18 KBjrockowitz
#6 3369135-6.patch1.63 KBjrockowitz
#3 webform_composite_field.patch481 bytesbillodeau
webform_composite_field.patch537 bytesbillodeau

Comments

Billodeau created an issue. See original summary.

billodeau’s picture

billodeau commented
Issue summary: View changes
billodeau’s picture

billodeau commented
StatusFileSize
new webform_composite_field.patch481 bytes

Status: Needs review » Needs work

The last submitted patch, 3: webform_composite_field.patch, failed testing. View results

cilefen’s picture

cilefen commented
Category: Task » Bug report

This looks like a bug report to me.

jrockowitz’s picture

jrockowitz commented
Status: Needs work » Needs review
StatusFileSize
new 3369135-6.patch1.63 KB
new webform.webform.issue_3369135.yml5.18 KB

The attached webform replicates the issue and the attached patch fixes it.

kasliwal_harshit’s picture

kasliwal_harshit commented

Reviewed This Issue , The given patch (#6 / 3369135-6.patch) is getting applied Successfully now user can only submit the text values in both name and text field . Attaching the screenshot for the same.
We can move this to RTBC+1, Thanks.

kasliwal_harshit’s picture

kasliwal_harshit commented
StatusFileSize
new Before-patch.png39.58 KB
new After-patch.png45.87 KB
jrockowitz’s picture

jrockowitz commented
Status: Needs review » Reviewed & tested by the community
jrockowitz’s picture

jrockowitz commented
Status: Reviewed & tested by the community » Fixed

  • jrockowitz authored 5950bbe2 on 6.1.x 
    Issue #3369135 by Billodeau, jrockowitz: Basic vs Composite Elements:...

  • jrockowitz authored 5950bbe2 on 6.x 
    Issue #3369135 by Billodeau, jrockowitz: Basic vs Composite Elements:...

  • jrockowitz authored 5950bbe2 on 6.2.x 
    Issue #3369135 by Billodeau, jrockowitz: Basic vs Composite Elements:...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.