Custom Form label not rendering HTML after 13.0.165 hotfix

Ryan Pureber asked on January 9, 2025 21:27

After a hotfix from 13.0.104 to 13.0.165 the label for a checkbox on a custom form no longer renders the HTML and instead shows the markup in plaintext. IE: < strong>Test</ strong> (without the extra spaces) instead of Test.

Correct Answer

Juraj Ondrus answered on January 10, 2025 05:28

This change was intended and was due to security - there was an XSS attack possible. The support for this was removed in hotfix no. 159:

Stored XSS in Checkbox form component
Description
The Checkbox component in form builder was vulnerable to Cross-Site-Scripting attack (XSS). To eliminate this vulnerability, support for HTML in Checkbox component was removed.

I am afraid but if you want to have HTML in the labels, you will have to create your custom form component.

0 votesVote for this answer Unmark Correct answer

   Please, sign in to be able to submit a new answer.