Unescaped href attribute value in dropdown-widget.js [#3590092]

Background information

This was originally reported as a private security issue, but has been approved for handling in the public queue by the Drupal Security Team.

security.drupal.org private issue: https://security.drupal.org/node/175909
(included for reference. Please do not report access denied as an error.)

Problem/Motivation

This code in dropdown-widget.js does not escape HTML characters in the URL before using it in the href attribute: https://git.drupalcode.org/project/facets/-/blob/99775089dbe158b2e80dc6f...

This can't be exploited for a reflected XSS because the browser always urlencodes the " character in window.location.href but it might still be worth hardening.

Steps to reproduce

Proposed resolution

Use Drupal.checkPlain() on the attribute value.

Remaining tasks

User interface changes

API changes

Data model changes

Comments

Comment #1

14 May 2026 at 12:06

prudloff created an issue.

Unescaped href attribute value in dropdown-widget.js

Background information

Problem/Motivation

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Comments

Comment #1

News items

Our community

Documentation

Drupal code base

Governance of community