This issue was discussed by the Drupal Security Team, and their decision was that this can be solved in a public issue.
Problem/Motivation
While the current behavior of vertical tabs is "working as designed," there is room for hardening this feature to mitigate potential vulnerabilities in contributed modules or custom implementations. Specifically, scenarios where user-supplied text is injected unescaped into vertical tabs could lead to cross-site scripting (XSS) attacks. Although identifying these cases is non-trivial, we can proactively strengthen the feature to reduce such risks.
Steps to reproduce
- Labels are correctly output using check_plain().
- jQuery.text() fetches text content from DOM elements, which normalizes entities (e.g.,
&becomes&). - jQuery.html() inserts the normalized content back into the vertical tab summary.
This workflow works as designed but could be exploited if contributed modules bypass sanitization.
Remaining tasks
- Integrating DomPurify: A robust library for sanitizing HTML to mitigate potential XSS.
- Reviewing and identifying places where contributed modules or custom code might incorrectly handle vertical tabs' content.
- Providing guidelines or documentation for module developers on properly sanitizing user-supplied content in dynamic UI elements.