Needs review
Project:
Obfuscate
Version:
2.0.x-dev
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
24 Apr 2026 at 16:03 UTC
Updated:
10 May 2026 at 22:57 UTC
Jump to comment: Most recent
Problem/Motivation
The 2.0.x branch seems to be horribly broken. Commit b35f7332ad7a8026c7419047afd27b8811f1ff83 literally reverted the whole code rewrite that was done earlier.
Even worse, it adds $text = Xss::filter($text); to Drupal\obfuscate\Plugin\Filter\ObfuscateMail::process(), which removes all HTML tags from formatted text fields.
Issue fork obfuscate-3586753
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
compare
Comments
Comment #3
grumpydev74Right, the following statement is correct :
Even worse, it adds $text = Xss::filter($text); to Drupal\obfuscate\Plugin\Filter\ObfuscateMail::process(), which removes all HTML tags from formatted text fields.
I think the Xss::filter($text) added in the version 2.0.2 is irrelevant. Drupal core already sanitize inputs according to text format allowed tags. It's not Obfuscate filter to do so here. It should be removed.
Comment #4
yepaPatch added following Grumpydev74 comment.
Comment #5
mrshowermanWhile this will certainly fix parts of the issue, the main task remains: reset the
2.0.xbranch to the state before commitb35f7332ad7a8026c7419047afd27b8811f1ff83.Comment #6
anybodyUpdating the module to the latest version breaks all texts using obfuscate filter. Downgrading is not possible due to XSS risks, see older releases. So this is critical. I just pinged the maintainer.
Comment #7
nigelcunningham commentedHi.
Apologies for the breakage. I'll work on reverting the changes while still applying the XSS fix this afternoon.
Regards,
Nij
Comment #8
nigelcunningham commented