[SITE-5450] Fix XSS escaping, strict types, and test gap in tabbed content

rkunjappan · rkunjappan · commit ea4ff9e6363b · 2026-02-25T16:51:52.000-05:00
Escape tab titles with Html::escape() in the formatter for defense-in-depth,
add declare(strict_types=1) to the Search API processor, remove unnecessary
@ error suppression from json_decode calls, and add missing tab title
assertion in TabbedContentProcessorTest.
diff --git a/src/Plugin/Field/FieldFormatter/PantheonTabbedContentFormatter.php b/src/Plugin/Field/FieldFormatter/PantheonTabbedContentFormatter.php
@@ -4,6 +4,7 @@
 
 namespace Drupal\pantheon_content_publisher\Plugin\Field\FieldFormatter;
 
+use Drupal\Component\Utility\Html;
 use Drupal\Core\Field\FieldDefinitionInterface;
 use Drupal\Core\Field\FieldItemListInterface;
 use Drupal\Core\Field\FormatterBase;
@@ -41,7 +42,7 @@ public function viewElements(FieldItemListInterface $items, $langcode): array {
       if (empty($item->value)) {
         continue;
       }
-      $tabs = @json_decode($item->value, TRUE);
+      $tabs = json_decode($item->value, TRUE);
       if (!is_array($tabs) || empty($tabs)) {
         continue;
       }
@@ -79,7 +80,7 @@ protected function buildTabs(array $tabs, int $heading_level = 2): array {
         'heading' => [
           '#type' => 'html_tag',
           '#tag' => $tag,
-          '#value' => $title,
+          '#value' => Html::escape($title),
         ],
         'content' => $this->renderTabContent($tab['documentTab'] ?? ''),
       ];
@@ -117,7 +118,7 @@ protected function renderTabContent(string|array $document_tab): array {
       return $build ?: ['#markup' => ''];
     }
     if (is_string($document_tab) && !empty($document_tab)) {
-      $decoded = @json_decode($document_tab, TRUE);
+      $decoded = json_decode($document_tab, TRUE);
       if ($decoded && is_array($decoded)) {
         $build = $this->tagsToRenderable->convertJsonToRenderable($document_tab);
         return $build ?: ['#markup' => ''];
diff --git a/src/Plugin/search_api/processor/TabbedContent.php b/src/Plugin/search_api/processor/TabbedContent.php
@@ -1,5 +1,7 @@
 <?php
 
+declare(strict_types=1);
+
 namespace Drupal\pantheon_content_publisher\Plugin\search_api\processor;
 
 use Drupal\Core\Render\RendererInterface;
@@ -61,7 +63,7 @@ protected function processFieldValue(&$value, $type) {
     }
 
     // Parse the TabTree array structure.
-    if (!$tabbed_content = @json_decode($value, TRUE)) {
+    if (!$tabbed_content = json_decode($value, TRUE)) {
       return;
     }
 
@@ -100,7 +102,7 @@ protected function extractTabContent(array $tabs): array {
 
         if (is_string($document_tab)) {
           // Check if it's JSON (PantheonTree) or plain text.
-          $decoded = @json_decode($document_tab, TRUE);
+          $decoded = json_decode($document_tab, TRUE);
           if ($decoded && is_array($decoded)) {
             // It's PantheonTree JSON - process it.
             if ($build = $this->tagsToRenderable->convertJsonToRenderable($document_tab)) {
diff --git a/tests/src/Unit/TabbedContentProcessorTest.php b/tests/src/Unit/TabbedContentProcessorTest.php
@@ -198,6 +198,7 @@ public function testProcessFieldValueWithArrayDocumentTab(): void {
     $this->callProcessFieldValue($value);
 
     $this->assertStringContainsString('Array content', $value);
+    $this->assertStringContainsString('Array Tab', $value);
   }
 
   /**

Original file line number	Diff line number	Diff line change
`@@ -198,6 +198,7 @@ public function testProcessFieldValueWithArrayDocumentTab(): void {`
`198`	`198`	`$this->callProcessFieldValue($value);`
`199`	`199`
`200`	`200`	`$this->assertStringContainsString('Array content', $value);`
	`201`	`+ $this->assertStringContainsString('Array Tab', $value);`
`201`	`202`	`}`
`202`	`203`
`203`	`204`	`/**`