Problem/Motivation
We had a security issue found within CivicTheme connected with XSS.
CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113
These occurred because we were not sufficiently filtering inputs to components. The XSS issue came about because we were not sufficiently filtering string fields and combined with the heavy use of the raw filter scripts were able to be injected into the components.
We have fixed every vector we could identify but given that sub-theme's are implementing their own implementations we want to fix this issue completely by removing all instances of raw.
Proposed resolution
1. Remove all instances of the raw filter within components
2. Update to use `\Drupal\Core\Template\Attribute` rather than using arrays and string for attribute values
3. Update to use render arrays rather than render to html and pass html to components
The changes mean:
- Sub-Themes will need to upgrade their own templates to remove raw, and will need to change overrides of CivicTheme values in preprocessing to also use render arrays where required. We will provide instructions on this when we do this release.
These changes mean that non-Drupal users of the twig components will need to add `drupal-attribute` NPM package to their implementation and also will need to convert html inputs to escaped twig objects.
See Issue on UI KIt: https://github.com/civictheme/uikit/issues/820
Comments
Comment #2
richardgaunt commentedPull Requests in progress
Drupal theme work:
https://github.com/civictheme/monorepo-drupal/pull/1436
UIKit work:
https://github.com/civictheme/uikit/pull/821
Comment #3
richardgaunt commentedComment #4
richardgaunt commentedComment #5
richardgaunt commentedComment #6
richardgaunt commentedComment #7
richardgaunt commentedComment #8
richardgaunt commented