Problem/Motivation

We had a security issue found within CivicTheme connected with XSS.

CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113

These occurred because we were not sufficiently filtering inputs to components. The XSS issue came about because we were not sufficiently filtering string fields and combined with the heavy use of the raw filter scripts were able to be injected into the components.

We have fixed every vector we could identify but given that sub-theme's are implementing their own implementations we want to fix this issue completely by removing all instances of raw.

Proposed resolution

1. Remove all instances of the raw filter within components
2. Update to use `\Drupal\Core\Template\Attribute` rather than using arrays and string for attribute values
3. Update to use render arrays rather than render to html and pass html to components

The changes mean:

- Sub-Themes will need to upgrade their own templates to remove raw, and will need to change overrides of CivicTheme values in preprocessing to also use render arrays where required. We will provide instructions on this when we do this release.

These changes mean that non-Drupal users of the twig components will need to add `drupal-attribute` NPM package to their implementation and also will need to convert html inputs to escaped twig objects.

See Issue on UI KIt: https://github.com/civictheme/uikit/issues/820

Comments

richardgaunt created an issue. See original summary.

richardgaunt’s picture

richardgaunt’s picture

Status: Active » Needs work
richardgaunt’s picture

Issue summary: View changes
richardgaunt’s picture

Assigned: richardgaunt » danielgry
Issue tags: +civictheme-1.12.2
richardgaunt’s picture

Status: Needs work » Needs review
richardgaunt’s picture

richardgaunt’s picture

Version: 1.x-dev » 1.12.2
Status: Needs review » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.