>>> [!note] Migrated issue <!-- Drupal.org comment --> <!-- Migrated from issue #3575516. --> Reported by: [gxleano](https://www.drupal.org/user/3591999) Related to !198 >>> <h3 id="summary-problem-motivation">Problem/Motivation</h3> <p>Multiple locations in <code>js/tagify.js</code> insert user-controlled data directly into the DOM via template literals without sanitization, creating potential XSS (Cross-Site Scripting) issues. This affects both the <code>tagifyAutocomplete</code> and <code>tagifySelect</code> behaviors.</p> <p>Unsanitized values include:</p> <ul> <li>Tag labels and entity IDs rendered in tag templates</li> <li>User input displayed in "no matching suggestions" messages</li> <li>Search terms and dropdown item values in suggestion lists</li> </ul> <h3 id="summary-proposed-resolution">Proposed resolution</h3> <p>Sanitize all user-controlled data with Drupal.checkPlain() before inserting into DOM via template literals:</p> <ul> <li>highlightMatchingLetters() &mdash; sanitize both inputTerm and searchTerm parameters (autocomplete + select behaviors)</li> <li>entityIdMarkup() &mdash; sanitize entityId before rendering (autocomplete + select behaviors)</li> <li>tagTemplate() &mdash; sanitize tag label/text used in title, aria-label, and tag content (autocomplete + select behaviors)</li> <li>dropdownItemTemplate() &mdash; sanitize tagData.value and highlightedText in select widget dropdown items</li> <li>dropdownItemNoMatch &mdash; sanitize data.value in the "no match" template (autocomplete + select behaviors)</li> </ul>