Problem/Motivation

It is currently not possible to output anything that resembles an HTML tag in an attribute using ui_patterns.

Looking at \Drupal\ui_patterns\Plugin\UiPatterns\PropType\AttributesPropType::normalizeAttrValue, the value goes through strip_tags but right after that, it goes in \Drupal\Core\Template\AttributeString::__toString to be HTML escaped.

On a larger scope, we should review all calls to strip_tags in the module and assess if it is appropriate.

Steps to reproduce

Using ui_suite_bootstrap, consider the following twig:

{# Case 1: using drupal attributes. #}
{% set foo_attr = 'Hello <em>world</em> and <<not-a-tag>> and <123> and <em2>OK</em2>.' %}
{% set btn_attrs = create_attribute({'data-foo': foo_attr}) %}
<button{{ btn_attrs }}>test</button>

{# Case 2: using SDC and ui_patterns. #}
{{ include('ui_suite_bootstrap:button', {
  label: 'test',
  attributes: {'data-foo': foo_attr}
}, with_context: false) }}

Raw output:

// Case 1: OK the attribute is html-escaped
<button data-foo="Hello &lt;em&gt;world&lt;/em&gt; and &lt;&lt;not-a-tag&gt;&gt; and &lt;123&gt; and &lt;em2&gt;OK&lt;/em2&gt;.">test</button>

// Case 2: NOK tags are stripped
<button data-foo="Hello world and  and  and OK." data-component-id="ui_suite_bootstrap:button" type="button">test</button>

Proposed resolution

Possibly remove strip_tags entirely since attributes are already escaped in \Drupal\Core\Template\AttributeString::__toString

Remaining tasks

todo

User interface changes

N/A

API changes

N/A

Data model changes

N/A

Issue fork ui_patterns-3558573

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

herved created an issue. See original summary.

herved’s picture

herved commented
Issue summary: View changes
just_like_good_vibes’s picture

just_like_good_vibes
Location PARIS
commented
Assigned: Unassigned » just_like_good_vibes

i will take that one

just_like_good_vibes’s picture

just_like_good_vibes
Location PARIS
commented
Status: Active » Needs work
just_like_good_vibes’s picture

just_like_good_vibes
Location PARIS
commented

if i understand well, you want to store HTML in a data-* attribute ? le me to gently remind that while it is not strictly forbidden, it is usually discouraged and not recommended.
Those attributes values hold strings, so yes you can stuff HTML markup in there, and yes it needs to be properly escaped.

But we originally decided to strip tags for attribute values and that was a design choice.

i will talk with the other maintainers of the module to check if we will support the usecase you are mentioning and come back to the issue.

herved’s picture

herved commented

Using a small amount of HTML in data-* attributes is generally acceptable, but as stated in the IS, this filters anything that resembles an HTML tag, but isn't necessarily.
Some example strings and their output after strip_tags: https://3v4l.org/NoIPv

just_like_good_vibes opened merge request !493

just_like_good_vibes’s picture

just_like_good_vibes
Location PARIS
commented
Assigned: just_like_good_vibes » Unassigned
Status: Needs work » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.