Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Like the title says.
I'm not seeing where it'd actually be used for escaping the JS. Serving XHTML as application/xml never took off because (thanks to?) IE.
Comment | File | Size | Author |
---|---|---|---|
#12 | xhtml_is_not_a_thing-2120113-12.patch | 1.29 KB | nlisgo |
#10 | xhtml_is_not_a_thing-2120113-10.patch | 5.94 KB | nlisgo |
#10 | interdiff-2120113-8-10.txt | 3.72 KB | nlisgo |
#8 | xhtml_is_not_a_thing-2120113-8.diff | 2.75 KB | harjotsingh |
#5 | 2120113-5.patch | 1.29 KB | akalata |
Comments
Comment #2
geek-merlinFixed in #1021622: Improper escaping of CDATA for inline css
Comment #3
akalata CreditAttribution: akalata as a volunteer commentedThis was incorrectly marked as a duplicate; the referenced issue fixed incorrect auto-escaping, where this issue is about removing CDATA statements completely.
Comment #4
RainbowArrayNice writeup on CSS Tricks: https://css-tricks.com/the-script-tag/.
Unless somebody is using Drupal 8 to create an XHTML site, which they should not be doing, we do not need CDATA.
Comment #5
akalata CreditAttribution: akalata as a volunteer commentedComment #7
akalata CreditAttribution: akalata as a volunteer commentedFrom YesCT:
ag CDATA core --ignore="core/vendor" --ignore="test" --ignore="*Test.php" --ignore="*.js"
might be a good way to search for CDATA, though we do need to allow Test files.Comment #8
harjotsingh CreditAttribution: harjotsingh as a volunteer commentedCDATA is found in
/core/lib/Drupal/Core/Asset/JsCollectionRenderer.php
and
core/lib/Drupal/Component/Utility/Html.php
Comment #10
nlisgo CreditAttribution: nlisgo commentedComment #12
nlisgo CreditAttribution: nlisgo commentedComment #13
nlisgo CreditAttribution: nlisgo commentedI got a bit carried away on my path in #10. The scope of this issue is to remove CDATA tags from inline CSS/JS.
Comment #15
nod_Sorry didn't link the issue, it's been taken care of in #2510104: Convert drupalSettings from JavaScript to JSON, to allow for CSP in the future.
Comment #16
joelpittet@nod_ are you sure? That issue looks like it's adding CDATA stuff not removing it.
I was just made aware of this issue this morning.
Comment #17
RainbowArrayLooking at the patch on #2510104, it does look like it got rid of the same CDATA lines we were trying to get rid of here.
Comment #18
joelpittetRe-opening must have been a mistake.
Comment #19
YesCT CreditAttribution: YesCT commentedNote #2550467: Remove #value_prefix and #value_suffix from HtmlTag has work on it and removes CDATA.
Comment #20
YesCT CreditAttribution: YesCT commentedso #2550467: Remove #value_prefix and #value_suffix from HtmlTag is doing more, but also doing what this was going to do.
marking duplicate.
(might be good to credit the people who worked on this there.)
Comment #21
alexpottNote that the wrapping of drupal settings in JSON was removed by #2510104: Convert drupalSettings from JavaScript to JSON, to allow for CSP in the future and all the code changed in the last patch on this issue was removed in that issue.