Issue #3426514 by magaki, Tom Konda, longwave: Drupal.theme.progressBar() does not escape output correctly

2024-04-04 22:30:45 +02:00 · 2024-04-04 22:30:45 +02:00 · 1c9e2cff5c
parent ec1dd1b33c
commit 1c9e2cff5c
1 changed files with 2 additions and 1 deletions
--- a/core/misc/progress.js
+++ b/core/misc/progress.js
@ -14,8 +14,9 @@
   *   The HTML for the progress bar.
   */
  Drupal.theme.progressBar = function (id) {
+    const escapedId = Drupal.checkPlain(id);
    return (
-      `<div id="${id}" class="progress" aria-live="polite">` +
+      `<div id="${escapedId}" class="progress" aria-live="polite">` +
      '<div class="progress__label">&nbsp;</div>' +
      '<div class="progress__track"><div class="progress__bar"></div></div>' +
      '<div class="progress__percentage"></div>' +