>>> [!note] Migrated issue <!-- Drupal.org comment --> <!-- Migrated from issue #3567110. --> Reported by: [fago](https://www.drupal.org/user/16747) Related to !7 >>> <h3>Problem</h3> <p> The FieldWidgetActionBase::actionButton() method adds a data-widget-settings attribute to action buttons that contains the full JSON-encoded plugin configuration:</p> <p> // FieldWidgetActionBase.php:305<br> 'data-widget-settings' =&gt; json_encode($this-&gt;getConfiguration()),</p> <p> This exposes potentially sensitive configuration to the client-side DOM, including:<br> - AI prompts with token patterns<br> - Model configuration<br> - Any other plugin-specific settings</p> <p> However, this data attribute is never used by any JavaScript in the module. The AJAX callback correctly reads settings from the server-side form element property #field_widget_action_settings instead.</p> <p>Moreover, many prompts can needlessly bloat the HTML.</p> <h3> Steps to reproduce</h3> <p> 1. Configure a field widget action (e.g., prompt_content_suggestion) on a text field<br> 2. View the entity form in a browser<br> 3. Inspect the action button element<br> 4. Observe the full configuration is exposed in data-widget-settings</p> <h3> Proposed resolution</h3> <p> Remove the unused data-widget-settings attribute from FieldWidgetActionBase::actionButton():</p> <p> - 'data-widget-settings' =&gt; json_encode($this-&gt;getConfiguration()),</p> <p> The other data attributes (data-widget-id, data-widget-field, data-widget-delta, data-wrapper-id) also appear unused and could be reviewed, but data-widget-settings is the most important to remove as it contains the full configuration.</p> <h3> Remaining tasks</h3> <p> - Confirm no code relies on these data attributes<br> - Remove unused attributes</p> <h3> AI disclosure</h3> <p>I used AI to create this text and reviewed it.</p>