Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The current output is rather ugly when an array or object is in use since it uses %message which goes through check_plain().
Lets make this nice and pretty.
Comment | File | Size | Author |
---|---|---|---|
#25 | 642160-debug-pre.patch | 9.38 KB | carlos8f |
#24 | pre_non_scalar_only.png | 44.34 KB | carlos8f |
#24 | pre_all_the_time.png | 45.74 KB | carlos8f |
#24 | 642160-debug-pre.patch | 9.95 KB | carlos8f |
#13 | 642160-debug.patch | 9.43 KB | boombatower |
Comments
Comment #1
boombatower CreditAttribution: boombatower commentedComment #2
webchickPlus eleventy billion! Marked #639372: Debug() should output with <code> tags as a duplicate.
However, we need to be concerned about security here. While on IRC Jimmy confirmed that this only affects the dsm() triggered by either debug() or PHP errors, not "normal" drupal_set_message()s (so for example, you can't stick JS in a node title), it still seems like it'd be possible to piggy-back malicious code and get the admin to execute it. For example, SQL errors will read out the part of the query that failed, so if you manage to stick '
<script>alert('xss');</script>
' or similar into a field someplace near a failure, it seems like you could inject malicious JS code... or worse. :\Comment #4
boombatower CreditAttribution: boombatower commentedMuch simpler version that only displays messages with pre formatting on drupal_set_message() and not in watchdog log. It also will not pre format numbers or simple strings, only objects or arrays. The HTML is also clean so you can look at it there without all the HTML entities which are very annoying.
Still not sure if we want to do highlighted string...use highligh_string() php function and var_export(). Looks nice.
Comment #5
boombatower CreditAttribution: boombatower commentedOr better yet.
Could also add same sort of logic to code that makes simpletest assertions.
Comment #6
boombatower CreditAttribution: boombatower commentedWith highligh_string().
Comment #7
Damien Tournoud CreditAttribution: Damien Tournoud commentedError messages are actually HTML in PHP, while exception messages are plain-text (totally brain-dead...).
Try:
You will get:
So we should be consistent with this, and stop encoding error messages. That should help this patch move forward.
Comment #8
boombatower CreditAttribution: boombatower commentedSure, so now do we also want
Comment #9
boombatower CreditAttribution: boombatower commentedReworked my patch with DamZ's and only included
Comment #10
boombatower CreditAttribution: boombatower commentedAdd check_plain() in debug() and remove left over comment.
Comment #11
boombatower CreditAttribution: boombatower commentedWrong place for check_plain()...lots of little mistakes.
Comment #13
boombatower CreditAttribution: boombatower commentedUpdating a few things and a test.
Comment #14
mlncn CreditAttribution: mlncn commentedTested on the latest Drupal HEAD just now. Still applies, and looks so beautiful on the screen and in logs.
I really hope this can still go in... it does have a plus eleventy-billion from webchick ;-) Note that this is also a concern expressed by several developers in #822714: Add <pre> tags to debug() For me, it felt very, very wrong to tell readers of the Drupal book i'm writing on, or for anyone else to do this, "Drupal 7 includes a debug() function, which is a great convenience when developing (or debugging). Unfortunately, its output runs together when displayed such that it is hard to see the structure of a complex array. Viewing the source code shows the structure but with the distraction of escaped HTML character entities. We can see nested arrays better by using the Devel module's dpr(), dvr(), or dkr() functions; a var_export() or print_r() function call wrapped in <pre> tags in a drupal_set_message() as above; or, of course, a debugger (see chapter {develenv})."
Comment #15
boombatower CreditAttribution: boombatower commentedSeems fair since I and most people I have talked to dislike the output very much.
Re-test to make sure no ill effects.
Comment #16
boombatower CreditAttribution: boombatower commented#13: 642160-debug.patch queued for re-testing.
Comment #17
boombatower CreditAttribution: boombatower commentedStill good.
Comment #18
mlncn CreditAttribution: mlncn commentedGood stuff, boombatower. Thanks for the patch. Tagging as a developer experience issue.
Comment #19
yched CreditAttribution: yched commentedOh, yes, pretty please...
Comment #20
Damien Tournoud CreditAttribution: Damien Tournoud commentedWorks for me, too.
Comment #21
webchickGreat work! I consider this a bug fix, since the current function is well-intentioned but doesn't actually work, really.
I tested this with the following:
I verified that both before and after this patch this correctly escapes stuff both on-screen and in watchdog, which was a problem in one of the earlier patches that I reviewed, iirc.
The only thing I'd suggest is wrapping the scalar value in
<pre> ... </pre>
as well. It looks a bit inconsistent now:Comment #22
klausiSubscribing, coming from #822714: Add <pre> tags to debug()
Comment #23
mlncn CreditAttribution: mlncn commentedThe escaping single quotation marks in the output is a little weird. Personally, i'd change that before trying to make strings etc. output in the same font as arrays and objects. Note that pre tags will always mean at least three-line messages if there is a label.
Comment #24
carlos8f CreditAttribution: carlos8f commentedSame as #13, but wrapping in
<pre>
for all variable types, as @webchick suggested.Comment #25
carlos8f CreditAttribution: carlos8f commentedof course, removing the debug() calls would be a good idea. /facepalm
Comment #26
boombatower CreditAttribution: boombatower commented:)
Comment #27
webchickGreat. Committed to HEAD!