Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
FormErrorHandler::displayErrorMessages calls SafeMarkup::set() which is meant to be for internal use only.
Proposed resolution
- Remove the call by refactoring the code.
Remaining tasks
- Evaluate whether the string can be refactored to one of the formats outlined in this change record: https://www.drupal.org/node/2311123
- Identify whether there is existing automated test coverage for the sanitization of the string. If there is, list the test in the issue summary. If there isn't, add an automated test for it.
- If the string cannot be refactored, the SafeMarkup::set() usage needs to be thoroughly audited and documented.
Manual testing steps (for XSS and double escaping)
Do these steps both with HEAD and with the patch applied:
- Clean install of Drupal 8.
- Compare the output above in HEAD and with the patch applied. Confirm that there is no double-escaping.
- If there is any user or calling code input in the string, submit
alert('XSS');and ensure that it is sanitized.
User interface changes
N/A
API changes
N/A
Comment | File | Size | Author |
---|---|---|---|
#68 | 2550981-3.68.patch | 14.22 KB | alexpott |
#68 | 67-68-interdiff.txt | 467 bytes | alexpott |
#67 | 2550981-3.67.patch | 14.18 KB | alexpott |
#67 | 63-67-interdiff.txt | 434 bytes | alexpott |
#63 | 2550981-3.63.patch | 13.75 KB | alexpott |
Comments
Comment #2
josephdpurcell CreditAttribution: josephdpurcell commentedComment #3
akalata CreditAttribution: akalata commentedMight want to use #2501975: Determine how to update code that currently joins strings in SafeMarkup::set() to find examples of marking joined strings as safe.
Comment #4
akalata CreditAttribution: akalata commentedPostponed on #2505931: Remove SafeMarkup::set in ViewListBuilder. Whatever pattern we find works there can most likely be used here as well.
Comment #5
kgoel CreditAttribution: kgoel at Forum One commentedPer @xjm - this is actionable issue now.
Comment #6
kgoel CreditAttribution: kgoel at Forum One commentedThis is wrong one and still postponed.
Comment #7
xjm#2505497: Support render arrays for drupal_set_message() would have helped with this, but that issue is in no danger of being solved and is probably going to be wontfixed.
So one option here is to do a renderPlain() on a render array with the items before returning to the dsm().
Comment #8
stefan.r CreditAttribution: stefan.r commentedThis may work once #2505931-170: Remove SafeMarkup::set in ViewListBuilder is in, just needs unit tests.
Comment #9
Wim Leers#2505931: Remove SafeMarkup::set in ViewListBuilder just landed :)
Comment #10
dawehnerLooks fine for me. Did you checked whether we have a test for that?
Comment #12
stefan.r CreditAttribution: stefan.r commentedLet's manually test?
Comment #13
stefan.r CreditAttribution: stefan.r commentedAlso, we need to update the unit test
Comment #14
stefan.r CreditAttribution: stefan.r commentedMarking needs tests as we still need to do the unit tests
Comment #15
Wim LeersComment #17
stefan.r CreditAttribution: stefan.r commentedLet's fix that fatal error
Comment #19
stefan.r CreditAttribution: stefan.r commentedComment #20
stefan.r CreditAttribution: stefan.r commentedThe 3 spaces after the string "@count errors have been found:" are a bit ugly but let's see if this gets us closer to green, would rather not change the template in this issue.
Comment #21
stefan.r CreditAttribution: stefan.r commentedComment #22
Wim LeersLooks great. I'd RTBC, but I don't know how to manually test this?
Nit: s/Renderer/renderer/
Comment #23
stefan.r CreditAttribution: stefan.r commentedTrigger several errors on a form, or alternatively download and install https://github.com/dmsmidt/errorstyle and go to
/error-style/form
Comment #24
stefan.r CreditAttribution: stefan.r commentedTested manually and this looks OK. The only thing is the inline comma list will still need some CSS love but that's a general problem, not sure if that's in scope here?
With patch:
Without patch:
Comment #25
Wim LeersComment #26
xjmThanks @stefan.r and @Wim Leers!
Ah, the weird lack-of-spaces in DateTimeFieldTest is a quirk of
assertText()
and the way the data provider is used.So these hunks are actually removing a bit of the test coverage. In HEAD, they assert both that the error is found and that there is a correct jump link for it (see #1493324: Inline form errors for accessibility and UX).
So, instead of doing assertRaw() on the whole thing, to avoid unnecessarily testing the template markup, I'd suggest that we split this into separate assertions: one for the error count text, and one for the links to the fragments.
We could also use that strategy to avoid the weirdness with the spacing in the DateTime test.
This is also removing test coverage.
Comment #27
xjmForgot to say, thanks also for the manual testing -- I think the before-and-after screenshots look okay.
Comment #28
stefan.r CreditAttribution: stefan.r commentedComment #29
joelpittetBefore
After
The CSS can be improved in a follow-up.
Comment #30
joelpittetWe did that loop link checking strategy earlier in this patch, so it just came back around into the patch:)
Comment #31
joelpittetFollow-up created #2557367: Fix inline list CSS
Comment #32
alexpottI think we should address the visual regression in the issue that introduces it - no?
Comment #33
catchYes I think that's worth fixing either here, or postponing on #2557367: Fix inline list CSS if it needs more discussion.
Comment #34
stefan.r CreditAttribution: stefan.r commentedThe problem here is that a) the div will need a
display: inline-block;
if it's inside messages__list and b) the margin from this style:overrides this one:
Should we just fix this with a !important after the 0px in the margin?
Comment #35
alexpottThe patch attached fixes the issue - it removes the indent and makes comma lists properly inline in all themes.
Comment #37
davidhernandezYou can't do that. The item-list wrapper doesn't exist in the core template.
Comment #38
davidhernandezWe're just looking at the form errors list correct? I'll take a look.
Comment #39
davidhernandezGrr, these things would be easier if we can get that CSS moved to Classy.
I didn't make screenshots for all the RTL but I did look. As usual, someone manually test and doublecheck that it's ok.
p.s. multiple file upload would be really nice to have.
Comment #40
davidhernandezp.p.s I know adding it to messages contradicts my comment in #37, but it's the simplest fix without making out of scope changes. It should be fine if/when we move that file to Classy, which we have an open issue to do.
Comment #41
davidhernandezNo margin should be needed LTR or RTL because displaying the comma list inline should get the natural spacing of the text and line height.
Joel, how did you make the "error not related to a real element"? I did not test that. I imagine it would still be ok since the spacing is there in the regression. It should be on the wrapper, not the comma list.
Comment #42
joelpittetNeeds a space there, but thanks @davidhernandez, that is a bit of a more direct change I had in mind. also +1 to multiple uploads, almost always adding a patch + interdiff, if not crap tone of screenshots;)
A bit of why I opened a follow-up was to avoid bloating the core of this commit/patch with fixing problems that were not part of the IS and weren't a direct cause of this issue.
Comment #43
joelpittet@davidhernandez used the module mentioned in #23 for the test.
Comment #44
joelpittetOther than that space mentioned in #42 that can be fixed on commit. I think this is good to go.
Here's a new screenshot set.
Before
After
If this get's kicked back on the CSS one more time, please commit #28 and we can move the CSS to the follow-up.
Comment #45
alexpottThe fix in #39 is not correct either. The comma list could be used in a success message or any other item list. We need a general fix because of the general styling of lists within lists.
I actually think this is wrong. The core styling that is causing problems is
so core already has the concept of ul's in item-list classed elements. The answer is to remove this styling and add it to classy where the
.item-list
wrapper is added and then handle comma lists inside lists there.Comment #47
stefan.r CreditAttribution: stefan.r commentedComment #49
stefan.r CreditAttribution: stefan.r commentedComment #50
stefan.r CreditAttribution: stefan.r commentedThe CSS/template changes in #45 look good and 48/49 just did a
s/ / /
on the error messages to fix tests.Screenshots from manual testing in #45 look good and did one last manual test on the last patch to confirm (including on the comma-separated item list in the views listing).
The visual regression seems fixed, so this looks ready to me if tests are green now, considering how trivial the last 2 interdiffs are.
Comment #51
davidhernandezYes, but I agree with Joel that moving all the CSS around is too much to roll into this issue. We can fix that with the plan to move all the CSS.
I targeted the error messages specifically, but that can be changes to just
.messages
. However, I'm don't think that is correct. All item lists are not inline, this is really only a problem with the comma list, in conjunction with the error message which has the inline label. Other item lists are block displayed uls, so that line.messages--error .item-list
has no affect which is fine.edit: made a typo that hid everything.
Comment #52
alexpott@davidhernandez but the comma list needs to be displayed inline regardless of where is it. And I think the changes to the tests in #45 and #47 show that current approach is correct.
Comment #53
dawehnerI'm confused, isn't the selector the same twice?
Comment #54
Wim LeersNit: s/Renderer/renderer/.
Nit: Extraneous newline added here.
And why is that a problem? Attachments are simply ignored/discarded when using
renderPlain()
.What's this "dataset" subdirectory?
Comment #55
xjmTo clarify #52, this is additional CSS that probably should have been introduced in #2505931: Remove SafeMarkup::set in ViewListBuilder with the original comma-separated list stuff, and we only missed it in that case because the list was on a line by itself. So it makes sense to add it here, though I'd also be okay with a general followup for it. But I agree with @alexpott that we shouldn't add the CSS only for messages.
Nice work on the manual testing!
Comment #56
davidhernandezThe comma list is already inline. The issue is the wrapper only because in the context of the error messages that text label is there outside the wrapper. I'm saying I agree there there needs to be a wrapper class for it, that is the root cause (and I new that in the views list builder issue,) but doing so requires making all those changes. Those changes then have to be reviewed outside the context of just the form errors. So if you really want to go that route we have to look at more than form errors.
Comment #57
alexpott@dawehner good point! All the
.item-list blah
belongs in classy.@Wim Leers
1. Fixed
2. Fixed
3. Yes but we need to add item.list.css when rendering a comma separated list... so doing
{{ attach_library('classy/item.list') }}
in the item-list.html.twig does not work.4. The dataset directory is just to match the template's directory...
core/themes/classy/templates/dataset/item-list.html.twig
Comment #58
alexpott#56 the wrapper is an issue everywhere in classy - it just so happens that so far we have only used comma lists in table columns so we had not noticed.
Comment #59
Wim Leers#57.3: aahhh! So this is basically a case where a message for
drupal_set_message()
does need to bubble attachments. That was not at all clear to me on my first reading.Shouldn't this be
item-list.css
instead ofitem.list.css
?Comment #60
stefan.r CreditAttribution: stefan.r commentedRolling a new patch on the assumption the answer to that question is yes as it's consistent with the naming of the other CSS files (seems we use dots for sub-elements and dashes for words).
Comment #61
alexpottGiven the concerns @davidhernandez, @joelpittet and @xjm (in conversation) are both pointing that the css changes could possibly have a bigger impact.
Uploading #28 again.
Comment #62
xjmSo the suggestion I made to @alexpott is that we temporarily let the small visual regression for
menusmessages in and then fix and test.item-list
more broadly in #2557367: Fix inline list CSS since the scope of that is much wider; he'll add the additional work from this issue over there.Comment #63
alexpottLet's fix @Wim Leers feedback in #54 that applied to #28 too.
Also considering that I've reviewed this patch extensively whilst trying to resolve the css issues and did contribute before #28 I feel okay to rtbc this. Even though the changes to
FileFieldValidateTest
make my eyes bleed.Let's be done with
SafeMarkup::set()
Comment #64
Wim Leers#63++
Comment #65
davidhernandezI fixed those regressions in #39. It's a small change and I don't see why it's an issue if you think it should all be refactored later anyway. I am not confident in any follows getting done, and I don't think we should live with such an obvious visual regression, especially the indent, that we may get stuck with in 8.0.0.
Comment #66
xjm@davidhernandez There is a patch in #2557367: Fix inline list CSS already; hopefully that issue can go forward easily without blocking the security-related critical?
@alexpott and I discussed whether to change these assertions in this issue to do multiple
assertText()
, but the problem with that is that that also reduces the test coverage. Ideally these tests should check for the jump links like the others do, but it makes sense to do that in a followup as well.Comment #67
alexpottDiscussed at length with @davidhernandez and @xjm in IRC. @davidhernandez suggested just fixing the indentation in seven. That seems a good compromise.
Comment #68
alexpottMissed a bit. Thanks @davidhernandez.
Comment #69
davidhernandezI'm fine with that in #68. I'm not RTBCing because I don't know anything about the rest of the patch.
Comment #70
Wim LeersComment #72
xjmThat works for me for now too.
Thanks everyone and see you in #2557367: Fix inline list CSS! Committed and pushed to 8.0.x.
Comment #74
cilefen CreditAttribution: cilefen commentedShould this be marked "Fixed"?
Comment #75
xjmYes. :)