>>> [!note] Migrated issue <!-- Drupal.org comment --> <!-- Migrated from issue #3550731. --> Reported by: [marcus_johansson](https://www.drupal.org/user/385947) Related to !941 !199 >>> <h3 id="summary-problem-motivation">Problem/Motivation</h3> <p><strong>Note: this is only affecting the 1.2.x-dev branch that is currently not stable. I have been in contact with the security team, and this does not and should not have a security review attached to it. We still want to be transparent with it, so that's why the issue is openly communicated. An 1.2.0-rc2 will be released after this is merged. Since it only affects data and areas that are controlled by the admin, its a rather minor security issue.</strong></p> <p>When you add a AI Prompt and add html to it, this renders in the AI Prompt Element. This means that malicious <code>&lt;script&gt;</code> tags can be used for instance to run code on the page.</p> <p>See example of adding the tag:<br> <a href="https://www.drupal.org/files/issues/2025-10-07/Screenshot%20from%202025-10-07%2014-58-47.png"><img src="https://www.drupal.org/files/issues/2025-10-07/Screenshot%20from%202025-10-07%2014-58-47.png"></a></p> <p>See example of it triggering:<br> <a href="https://www.drupal.org/files/issues/2025-10-07/Screenshot%20from%202025-10-07%2014-59-16.png"><img src="https://www.drupal.org/files/issues/2025-10-07/Screenshot%20from%202025-10-07%2014-59-16.png"></a></p> <p>This is due to unescaped HTML happening when rendering the form element.</p> <p>Thanks to user <a href="https://www.drupal.org/u/tcrawford">tcrawford</a> for finding this issue.</p> <h3 id="summary-proposed-resolution">Proposed resolution</h3> <p>Use Drupals <a href="https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Component%21Utility%21Html.php/function/Html%3A%3Aescape/11.x">Html::escape</a> to escape the html.</p> <h3 id="summary-data-model-changes">Data model changes</h3>