• I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

This PR addresses a potential XSS vulnerability by standardizing and securing the generation of HTML attributes within Joomla. Previously, the ArrayHelper::toString() method was extensively used to convert arrays of attributes into HTML strings. While core code often used this carefully, the lack of automatic HTML escaping within ArrayHelper::toString() presented a "footgun" API, making it easy for developers to accidentally introduce XSS vulnerabilities if user-supplied data was passed un-sanitized.

This PR introduces a dedicated, secure method for building HTML attributes, significantly enhancing the platform's security posture.

Summary of Changes

1. Introduced HTMLHelper::buildAttributes()

   A new public static method buildAttributes() has been added to libraries/src/HTML/HTMLHelper.php. This method responsibly converts an array of attributes into a properly escaped HTML attribute string using htmlspecialchars(value, ENT_QUOTES, 'UTF-8').

2. Migrated HTMLHelper::link() and HTMLHelper::iframe()

   The core HTMLHelper::link() and HTMLHelper::iframe() methods were updated to utilize HTMLHelper::buildAttributes() for their attribute generation, replacing their direct use of ArrayHelper::toString().

3. Comprehensive Migration Across the Codebase

   All other identified instances of ArrayHelper::toString() that were responsible for generating HTML attributes have been replaced with HTMLHelper::buildAttributes().

Testing Instructions

Unit tests are provided.

Actual result BEFORE applying this Pull Request

All should work fine.

Expected result AFTER applying this Pull Request

All should work fine.

Link to documentations

Please select:

• Documentation link for guide.joomla.org:

• No documentation changes for guide.joomla.org needed

• Pull Request link for manual.joomla.org:

• No documentation changes for manual.joomla.org needed