Background information

This is a followup to SA-CORE-2026-001.

Problem/Motivation

The error generated when the value of ?ajax_page_state[libraries] is invalid can be used to inject HTML.
This is not a XSS vulnerability because the HTML is sanitized with Xss::filter(), but it should still be prevented because it could make some reflected XSS easier to exploit.

Steps to reproduce

  1. Browse to /admin/config/development/logging and set "Error messages to display" to "Errors and warnings".
  2. As an anonymous user, browse to /user/login?ajax_page_state[libraries]=<b>foo (you might have to reload the page to see the error).
  3. The error contains the unescaped <b> HTML tag.

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Comments

prudloff created an issue.