Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
filter_xss*() functions live in filter.module.
The reason for countless exceptions and hard-coded loading of filter.module throughout core.
Possible solutions:
a) Move it as-is into common.inc.
b) Move into common.inc and rename into check_xss*().
c) Move into sanitize.inc and rename into check_xss*() or clean_xss*() or similar.
Agreement first.
Comment | File | Size | Author |
---|---|---|---|
#10 | changes.patch | 2.02 KB | Damien Tournoud |
#9 | drupal.filter-xss-LF.patch | 19.57 KB | sun |
#8 | drupal.filter-xss.patch | 19.57 KB | sun |
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commented+1.
way back when i thought we could use the registry to remove
module_load_all
from_drupal_bootstrap_full
, this was one of the first functions that broke that naive idea.kill it, kill it dead.
Comment #2
sunGiven that you're one of folks who seem to work on registry a lot, it would be good to provide at least one opinion on the choices mentioned in the OP.
Comment #3
catchI vote (a) but don't have particular objections against (b) or (c).
Comment #4
Anonymous (not verified) CreditAttribution: Anonymous commentedi'd vote a), because it solves the problem at hand without having to work out whether we should rename.
Comment #5
Damien Tournoud CreditAttribution: Damien Tournoud commentedVote (a) also. I've been willing to do so for a while now ;)
Comment #6
sunok. Now, let's get a confirmation from chx, webchick, and Dries.
Site note: After moving those functions, we can
1) remove
required = TRUE
from filter.info and2) no longer load filter.module in maintenance mode (install/update/regular offline) and remove it everywhere else we've hard-coded it.
Which means: check_markup() and filter_form() will be available in DRUPAL_BOOTSTRAP_FULL only. We need to check whether any hook_update_N() tries to invoke other functions of filter.module and fix accordingly.
Comment #7
sun#455724: Rename "check_markup()" made this decision simpler: Renaming (and/or possible replacement with PHP's filter functions) will be left for a separate issue.
Comment #8
sunrequired = TRUE
serves a different purpose and cannot be removed. It means that filter.module must always be enabled, so modules can invoke filter_form() and check_markup() without testing whether filter.module is installed.Comment #9
sunMeh. Damn Windows.
Comment #10
Damien Tournoud CreditAttribution: Damien Tournoud commentedThis makes a lot of sense.
Overly cautious, checked this patch very carefully. There is no code change at all (see attached patch), only a couple of whitespace fix and the reformatting of two doxygen comments.
Comment #12
sunLast attachment shouldn't have been named .patch ;)
Comment #13
Dries CreditAttribution: Dries commentedCommitted to HEAD. I agree that is the right thing to do. I do think renaming the functions would be good.
Comment #15
sun#645468: Filter module no longer needs to be loaded by default