Beta phase evaluation
Issue category | Task: this is part of the Twig autoescape meta-issue (#1825952: Turn on twig autoescape by default) |
---|---|
Issue priority | Major: existing code incorrectly marked strings as safe. Also #2337747: HTML entities/tags in the item title are double encoded for feeds using fields, which was marked as major, was closed as a dup of this. |
Prioritized changes | Security change and follow up from a recent critical change. |
Disruption | There will be disruption for any contrib modules using format_xml_elements , which is eliminated by this change. Comment #13 suggests this to be a very limited number though it is hardly a thorough examination of contrib. |
Follow-up to: #1825952: Turn on twig autoescape by default
Problem/Motivation
In #1825952: Turn on twig autoescape by default, format_xml_elements() assembles XML markup based on input and it is subsequently marked as safe. However, there is no guarantee that the rendered markup is actually safe.
This is not a security regression because the same is true in HEAD; format_xml_elements()
will render whatever the caller tells it to, so it's the caller's responsibility to sanitize the input. However, this is one of the only places that we are marking as safe markup strings that are not explicitly known to be safe.
Proposed resolution
Remove format_xml_elements
and use the existing preprocess functions to prepare variables for use in views-view-row-rss.html.twig
.
Remaining tasks
Create patchUpdate/Add tests- Create change record
User interface changes
None.
API changes
Remove format_xml_elements
.
Postponed until
Comment | File | Size | Author |
---|---|---|---|
#42 | 2296885-42-39.interdiff.txt | 1.14 KB | mikeker |
#42 | 2296885-42_format-xml-elements.patch | 14.66 KB | mikeker |
#39 | 2296885-39-24-docs-update.interdiff.txt | 627 bytes | mikeker |
#39 | 2296885-39-24-fixes-tests.interdiff.txt | 790 bytes | mikeker |
#39 | 2296885-39_format-xml-elements.patch | 14.29 KB | mikeker |
Comments
Comment #1
xjmComment #2
xjmComment #3
dawehnerDon't we have an issue to remove format_xml_elements() already? Its not really such an helpful API and note: we do have no use for it anymore in core.
Comment #4
jibranComment #5
mikeker CreditAttribution: mikeker commentedOther than
format_xml_elements
calling itself, the only place I could find a usage (outside of tests) was in Views. Specifically:template_preprocess_views_view_rss()
andtemplate_preprocess_views_view_row_rss()
. My take is those should be handled in the template and not preprocessed. See also #2337747: HTML entities/tags in the item title are double encoded for feeds using fields.As @dawehner said in #3, we should probably remove this function and move it's processing to the two relevant Views templates.
I'll look through the tests and see if there's anything lurking there...
Comment #6
mikeker CreditAttribution: mikeker commentedComment #7
mikeker CreditAttribution: mikeker commentedAttached patch cleans up Views' RSS formatting and removes the last call to
format_xml_element
in core outside of tests. I haven't touchedformat_xml_elements()
yet -- wanted to see what the testbot thinks first.If the testbot comes back green, I'll go ahead and start removing
format_xml_elements
from the tests and replacing it with the actual XML that should be generated in those tests.I welcome any feedback on this approach -- I've never worked on removing things from core before... :)
Comment #8
mikeker CreditAttribution: mikeker commentedIssue consolidation: Adds the test from #2337747-12: HTML entities/tags in the item title are double encoded for feeds using fields which I'm marking as a dup of this issue as the underlying fix will take care of both.
Also, what idiot marked this as related to itself in #6? /me: ducks out of sight...
Comment #10
dawehner+1 to inline the XHML, at remove the usage of format_xml_elements().
Do we consider format_xml_elements() as something removable at this point?
Comment #11
mikeker CreditAttribution: mikeker commented@dawehner: I haven't been able to find any previous discussion about removing format_xml_elements(). Would love to hear what others think about removing it...
Comment #12
joelpittetI'm for it!
Though we may need to check on contrib usage at beta stage but at the least we could deprecate it.
Comment #13
mikeker CreditAttribution: mikeker commentedFor what it's worth this, for D7, shows only six calls, all within core and Views. The list of modules tracked is by no means exhaustive, but it's not insubstantial either.
I would guess there would be minimal impact on contrib. Regardless, this would need a change record.
Comment #14
mikeker CreditAttribution: mikeker commentedRerolled against latest HEAD.
Comment #15
mikeker CreditAttribution: mikeker commentedSince #2337747: HTML entities/tags in the item title are double encoded for feeds using fields was bumped to Major in comment #3 and then closed as a dup of this issue, I'm bumping this to Major as well.
Comment #17
mikeker CreditAttribution: mikeker commentedAck, totally goofed the reroll in #14. Rerolled the reroll and removed
field_langcode
field_langcode_add_to_query
from the test view as per this CR.Comment #18
mikeker CreditAttribution: mikeker commentedComment #19
Mile23Needs a reroll.
Comment #20
mikeker CreditAttribution: mikeker commentedRerolled.
Also realized that I never actually removed
format_xml_elements
fromcommon.inc
. This patch does that as well.Comment #21
mikeker CreditAttribution: mikeker commentedUpdated proposed resolution and remaining tasks in the issue summary.
Comment #23
mikeker CreditAttribution: mikeker commentedAdded beta eval.
Comment #24
mikeker CreditAttribution: mikeker as a volunteer commentedIn re-reading this issue, it looks like I was waiting for... something... before removing
format_xml_elements
. The attached patch removes the code and fixes the tests that were relying on it.In the CR, we will need to mention that contrib modules subclassing the Views RSS style plugin will need to tweak the output of
getChannelElements
to return a render array instead of an array to be consumed byformat_xml_elements
.Comment #25
mikeker CreditAttribution: mikeker commentedFixed HTML in beta eval, tweaking wording in "disruption" section.
Comment #29
mikeker CreditAttribution: mikeker commentedSince the testbot came back green after #28.
Comment #30
mikeker CreditAttribution: mikeker commentedPatch still applies cleanly -- rerunning tests, just in case.
Comment #32
mikeker CreditAttribution: mikeker commentedPatch applies cleanly to today's HEAD and the testbot is green as of 27 April.
Sorry, forgot to unassign myself and remove the reroll tag.
Comment #33
mikeker CreditAttribution: mikeker commentedHeh... Also forgot that I started a draft CR about a month ago:
https://www.drupal.org/node/2468139
Comment #34
catchI'd personally be OK with removing format_xml_elements(), the chances of that being used anywhere are really minimal and I think it does more harm staying in since it's a red herring compared to serializer etc. Could use a second opinion from another committer though, because I do love removing things.
The issue for refactoring Views RSS is #2003108: Switch Views RSS to use Serializer/Zend by the way.
Comment #35
mikeker CreditAttribution: mikeker as a volunteer commented@catch: Agreed, chances for disruption are minimal and the ability to override the default RSS markup is nice. Thanks for the link to the related issue, I've added a link to this issue over there.
Comment #36
xjmI agree with the beta evaluation and @catch's assessment in #34; I think it's actually a good thing to have a BC break in this case.
Comment #37
dawehner+1 to remove it. Xml is less common than before, a template also works pretty good.
In case you want to, there is also tools like https://github.com/nb/oxymel and https://github.com/iwyg/xmlbuilder to make xml building really easy
Comment #39
mikeker CreditAttribution: mikeker as a volunteer commentedRerolled and fixed tests. #2424533: Copy views templates to Classy added
views-view-row-rss.html.twig
(which is changed in this patch) to Classy. However there are no classes added by this template (it's an RSS feed, after all) so I removed it as part of this patch. See the fixes-tests interdiff.There is also a minor doc change as shown in the docs-update interdiff.
Comment #40
dawehnerI totally agree that there is no reason to have that template as part of classy.
Comment #41
alexpotthttp://www.drupalcontrib.org/api/drupal/drupal%21includes%21common.inc/f... shows that in Drupal 7 only views and core used the method I agree that removing this makes sense.
I don't think this issue should remove core/themes/classy/templates/views/views-view-row-rss.html.twig since that is out of scope. Having the templates all in classy is not just about the templates using a class. It is about making things very easy to find.
Comment #42
mikeker CreditAttribution: mikeker as a volunteer commented#41: Makes sense.
This patch updates the template in classy to use the same markup as that in
core/modules/views/templates/views-view-row-rss.html.twig
.Comment #43
dawehner+1
Comment #44
alexpottThis issue addresses a major bug and is allowed per https://www.drupal.org/core/beta-changes. Committed cc55e5c and pushed to 8.0.x. Thanks!
Unrelated change - removed on commit.
Comment #46
xjmComment #48
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedThe change record here was still in "Draft" state. I went ahead and published it now.