Problem/Motivation
The ManagedFile form element plugin makes use of a #prefix to render out status messages in Drupal\file\Element\ManagedFile::uploadAjaxCallback. This means that any output from the status message template will be ran through Drupal's XSS filter -- which is known to cause problems.
Steps to reproduce
- Set up an off-the-shelf standard install.
- Add the webform module (for convenience; a native custom code FAPI form would work just as well...)
- Add a required managed file element to a form.
- Submit the form without uploading a file.
- Note that the status message has an
<svg>sprite.![The Olivero system message template outputs an SVG sprite.]()
- Now things get interesting; upload a file that's too large for the field to accept...
- Note that the status message that's rendered by the managed file element does not have an
<svg>sprite! The design has been broken!![System messages rendered by managed file elements strip SVG sprites (amongst other things)]()
Given this does break the Olivero design, I feel this is a legitimate bug that should be resolved.
Proposed resolution
By the time the status message template has finished rendering, this output should be trusted enough not to need this degree of XSS filtering [citation needed]. Can this be done safely?
Remaining tasks
Ask the security team to chime in.
User interface changes
TBD
API changes
TBD
Data model changes
TBD
Release notes snippet
TBD