Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
split off from #2506479: Replace !placeholder with @placeholder for non URLs in t() in Views, except for t() output that is used as an attribute value.
Problem/Motivation
We have 2 remaining usages of !placeholder in views.views.inc in imploded lists
Proposed resolution
Use @placeholder and htmlspecialchars_decode to undo the escaping caused by the assumption of t() that it is dealing with markup as opposed to plain text (as is the case here)
Remaining tasks
Review patch
User interface changes
None
API changes
None
Comment | File | Size | Author |
---|---|---|---|
interdiff.txt | 4.06 KB | bfr | |
fix_use_of_placeholder-2571935-39.patch | 6.16 KB | bfr | |
interdiff.txt | 3.58 KB | bfr | |
fix_use_of_placeholder-2571935-38.patch | 6.16 KB | bfr | |
#37 | interdiff.txt | 4.91 KB | dawehner |
Comments
Comment #2
izus CreditAttribution: izus commentedwill give it a try this night
Comment #3
izus CreditAttribution: izus commentedComment #5
izus CreditAttribution: izus commentedComment #7
izus CreditAttribution: izus commentedComment #8
joelpittetThank you @izus, just missing one more set for
!display_title
.Comment #10
stefan.r CreditAttribution: stefan.r commentedehhh I think we got the issue summary wrong here? This is all already being addressed in #2506479: Replace !placeholder with @placeholder for non URLs in t() in Views, except for t() output that is used as an attribute value, we're merely splitting out the comma implode, which is postponed on having a helper for suffixing strings
Comment #11
stefan.r CreditAttribution: stefan.r commentedComment #14
dawehnerLet's be clear
Comment #15
lauriiiBlocked by #2509218: Ensure that SafeString objects can be used in non-HTML contexts
Comment #16
stefan.r CreditAttribution: stefan.r commentedSorry there was a confusion on IRC about what this is blocked by.
Discussed with @alexpott and we can actually use htmlspecialchars_decode here as a workaround - it should be the only place in core where we do this. The help key is schema-type information that ought to be plain-text only, as it is used both to be plan-text help information as well as to be UI help text.
Comment #17
stefan.r CreditAttribution: stefan.r commentedComment #20
stefan.r CreditAttribution: stefan.r commentedComment #21
dawehnerHere is an additional integration level testing.
Comment #22
alexpottIt is odd that this is Xss filtered and not escaped as I would have expected.
Comment #23
stefan.r CreditAttribution: stefan.r commentedMaybe because
htmlspecialchars_decode()
undoes quotes but also turns<script>
into<script>
, which gets filtered out whenever the field help text goes into #markup... @dawehner is that possible? I could look with a debugger?Comment #24
dawehner@alexpott
The reason is the following:
... Its using
#description
which is maybe like #markupComment #25
damiankloip CreditAttribution: damiankloip commentedSpoke with multiple people about this. It's a necessary evil for now. This is more an oversight/architecture problem in views that our UI string is defined in the views data.
Comment #26
alexpottOkay so we have a problem because of the #description which does not auto-escape. It is admin filtered. This makes the documentation added incorrect and it also makes the behaviour incorrect. If you put
em
tags in the field labels they should always be escaped but they are not here :(I really don't like the behaviour of
#description
- it feels like it should auto-escape by default. If we don't want to fix this - and that would be understand since it would be a big change now - I think we have to create another SafeStringInterface object to help building view data.I've created #2573743: #description should escape by default to explore making #description auto-escape.
Comment #27
stefan.r CreditAttribution: stefan.r commentedI'm not clear how the child is blocking, where specifically would em be a problem?
I think this shows we need better tools for concatenating strings. It's not the first time we encounter this problem?
Comment #28
stefan.r CreditAttribution: stefan.r commentedFWIW we had another patch earlier in #2506479: Replace !placeholder with @placeholder for non URLs in t() in Views, except for t() output that is used as an attribute value containing an array of markup arrays.
If we had #2554073: Allow #markup to be an array of strings and join them safely we'd be able to use just that and generate the help string without markup
Comment #29
alexpottIn every other context the script tags would be escaped. We're stripping them here because
#description
is admin filtered. The problem we have is that we need to mix markup and escaping - since a translator might need to add HTML to a translation.Comment #30
alexpottI'm working on this.
Comment #31
alexpottThis approach preserves the escaping and makes the way labels are escaped consistent with other places in the Views and Field UI. With the previous approach if a field label contained
em
tags they would be escaped in the Field UI but in this help text theem
tags would not have been filtered or escaped.The only reason this works is because #description is XSS admin filtered. And therefore the fact that the final string is not marked safe does not cause double escaping.
Comment #32
alexpottComment #33
stefan.r CreditAttribution: stefan.r commentedThis bit doesn't have tests does it? Do we need the htmlspecialchars_decode()?
Comment #34
Wim LeersThis looks great! (And I trust Alex is best judge of how to approach this.)
No point in assigning to a variable, can just be
FieldConfig::create([…])->save()
."markup that is HTML escaped" sounds very strange. "escaped HTML" or "Html::escape()d" would make sense.
Similar thing with "XSS admin filtered" here.
80 cols violations.
s/by/be/
Same here.
Fixed everything except points 2 and 3, which I defer to Alex, a native speaker. :)
Comment #35
dawehnerWorkign on the discussion we had during drupalcon
Comment #36
Wim LeersComment #37
dawehnerThere we go. We make it a safe string, as we know it is safe.
Comment #40
jhedstromI think the patches in #38 and #39 are for a different issue?
Comment #41
jhedstromI think the above concerns have been addressed, the patch in #37 looks good.
Comment #43
alexpottDiscussed with @dawehner, @xjm, @laurii, @joelpittet, and @stefan.r. It is a shame that we have to do this but creating UI text at the point of building the schema information makes this very very tricky. Committed 36b936f and pushed to 8.0.x. Thanks!
Comment #46
lauriiiComment #50
alexpott