Label value in a row, passed to DraggableListBuilder, doesn't sanitize and outputs as HTML. The same time EntityListBuilder process it correctly.

Example: I've created text format named <b>bold</b>, and it shown as bold in the list! Adding </td></tr></table> to the name breaks list page markup.

The same time XSS <script>alert('Hello')</script> doesn't work.


Step 1

Step 2

Step 3

Step 4

Comments

dewalt created an issue. See original summary.

dewalt’s picture

Issue summary: View changes
dewalt’s picture

Status: Active » Needs review
StatusFileSize
new2.33 KB

I've found solution, that fixes this issue and https://www.drupal.org/project/drupal/issues/2514970 one too.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev
danielveza’s picture

Status: Needs review » Closed (cannot reproduce)
Issue tags: +Bug Smash Initiative

Tested this in the latest 9.4 - This has been fixed and the format now displays as bold