Inline templates are XSS filtered incorrectly

any idea how to set allowed tags in inline_template ?

+++ b/core/modules/system/system.admin.inc
@@ -320,14 +320,12 @@ function theme_system_modules_uninstall($variables) {
+        'data' => SafeMarkup::set($col2)

#2280965: [meta] Remove every SafeMarkup::set() call contains some suggested patterns for avoiding SafeMarkup::set().

any idea how to set allowed tags in inline_template ?

I searched around a bit but couldn't figure it out.

@LKS90 HEAD is using an inline twig template to safely render the table of module names. Some commit has broken this search form by stripping the <label> tag. The question in #2 was over how one would allow the label tag to pass through.

I found it.

Xss.php hasn't changed its list of allowed tags since it was first created more than two years ago in commit 23b59123. Adding a new tag to the allowed list in Xss.php may avoid this particular problem, but it will have very wide consequences (every module uses Xss::filter() at some point) and may impact security.

The issue which broke the uninstall page is #2273925: Ensure #markup is XSS escaped in Renderer::doRender() (I used git bisect). IMO a proper fix will be to address how to use known-good markup in an inline_template element, now that this markup is being automatically sanitized. The patch in #1 is a solution, but it would be nice to keep the inline_template here if possible (see #2280965: [meta] Remove every SafeMarkup::set() call). Unfortunately, SafeMarkup::set() doesn't work in the inline_template. If the uninstall page has this problem, it's inevitable that it will show up again, especially in contrib, so it makes sense to figure out a global fix rather than just make <label> a safe tag like in #7.

ahh. So SafeMarkup::format is the best option at the moment.

+++ b/core/modules/system/system.admin.inc
@@ -323,10 +323,12 @@ function theme_system_modules_uninstall($variables) {
+            '@module_name' => drupal_render($form['modules'][$module]['name'])
+          )
         )

We need commas after the last array elements.

that's args for the function. adding commas would cause syntax error

+1 for RTBC. This path is in-scope and uses one of the allowed sanitization methods.

+++ b/core/modules/system/system.admin.inc
@@ -323,10 +323,12 @@ function theme_system_modules_uninstall($variables) {
+          )

I hate to be a nudge but there should be a comma here also as the end of the multiline 'data' array element.

Cool, no problems :)

I added a small regression test.

The result of inline templates should be marked safe. This is indicative of a larger issue.

We need to do something like this. btw this is a really nice find. Glad we're dealing with this now.

Retitling to detail what the actual issue is.

Wow surprised we didn't run into this already. Thanks for the test coverage @alexpott.

I tested the patch and indeed it solves this specific problem (filtering on uninstall modules page is broken) and also the larger issue of using known-good markup in an inline_template. The added test ensures that the markup required by the JavaScript for the filter to work is present - that should preclude this from getting broken again.

+1.

Committed/pushed to 8.0.x, thanks!