Problem/Motivation

Symfony released a number of security fixes including one to spaceless; https://github.com/twigphp/Twig/commit/3190b9ae12614dfd58cc5d8f394bac470...

This module duplicated spaceless as is (so including Symfony's bug) when support for spaceless in core did not exist per #3477375: Provide non-deprecated replacement for Twig "spaceless" filter.

Drupal Core security team agreed to make this public to apply the same: https://git.drupalcode.org/security/185020-footnotes-security/-/work_ite... (link to private original issue)

Note that the default setup of this module does not have this issue:

  1. Ensure you have not manually disabled the Limit allowed HTML filter in footnotes
  2. Ensure you are not using footnotes_spaceless beyond the footnotes module provided twig templates (cloning them to your theme is fine)

Steps to reproduce

  1. View footnotes_spaceless
  2. See same as previous code

Proposed resolution

  1. Apply same fix
  2. Apply test coverage
  3. Add warnings

Remaining tasks

MR

User interface changes

Warnings to use limit allowed html when using footnotes_spaceless

API changes

N/A

Data model changes

N/A

Issue fork footnotes-3591772

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

scott_euser created an issue. See original summary.

scott_euser opened merge request !103

scott_euser’s picture

scott_euser commented
Issue summary: View changes

  • scott_euser committed 64a2a1da on 4.0.x 
    task: #3591772 Apply footnotes spaceless fix from Symfony

By:...
scott_euser’s picture

scott_euser commented
Status: Active » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

scott_euser’s picture

scott_euser commented
Issue summary: View changes