Updated from #5

Problem/Motivation

According to the locale_string_is_safe function, used by translation interface, manual import and automated imports via Localization update, some HTML tags are not allowed in translated strings. This results in impossible to translate strings and also in multiple import errors.

Proposed resolution

Search and rewrite faulty strings.

Remaining tasks

  • Write a script to identify strings containing unallowed or malformed HTML.
  • Update the detection script to provide it documentation and make it reusable for contrib
  • Open one follow-up issue per module or per file to fix it.

Sub-Issues

Comments

duaelfr’s picture

duaelfr
he/him
Primary language French
Location Montpellier, France
commented

opi is currently working on the detection script : https://gist.github.com/opi/bad4443ec600c8899726

duaelfr’s picture

duaelfr
he/him
Primary language French
Location Montpellier, France
commented
Issue summary: View changes

Added first sub issue

duaelfr’s picture

duaelfr
he/him
Primary language French
Location Montpellier, France
commented

Thanks to opi, the detection script has been converted in a tiny drush module.

On the current dev version that is what the script outputs :

#: core/modules/views/lib/Drupal/views/Plugin/views/filter/FilterPluginBase.php:1133
<Any>
#: core/modules/field/field.views.inc:422
<No value>
#: core/modules/aggregator/lib/Drupal/aggregator/FeedStorageController.php:77
The parent website's description that comes from the <description> element in the feed.

This script could be improved to help module maintainers to keep their strings safe (or it may be integrated in Coder).

duaelfr’s picture

duaelfr
he/him
Primary language French
Location Montpellier, France
commented
Issue summary: View changes

Marking first remainig task as done and adding a new one

yesct’s picture

yesct commented
Issue tags: +drush

This is really well organized.

I think we should come back to this every once and a while and re-run it.

Also, I wonder if we should look at the work in
https://drupal.org/project/issues/search/potx?issue_tags=Drupal%208%20co...

ps. I didn't know we had a D8MI-meta tag. I have some other meta issues that could be tagged with that.
usually I do a search for the D8MI tag, and add meta to like the title search to find them.
hm.

yesct’s picture

yesct commented
Issue summary: View changes

Add new subissue

duaelfr’s picture

duaelfr
he/him
Primary language French
Location Montpellier, France
commented
Title: [META] Remove disallowed HTML from Core translated strings » [META] Fix unsafe core's translatable strings

Renaming the issue to be more accurate with its real purpose

duaelfr’s picture

duaelfr
he/him
Primary language French
Location Montpellier, France
commented

I added a patch in the Coder module to help module maintainers to follow this initiative.
#2050211: Check translatable strings

duaelfr’s picture

duaelfr
he/him
Primary language French
Location Montpellier, France
commented
Issue summary: View changes

Added two sub issues

duaelfr’s picture

duaelfr
he/him
Primary language French
Location Montpellier, France
commented

I ran the drush script today and no new unsafe string had been detected!
\o/

duaelfr’s picture

duaelfr
he/him
Primary language French
Location Montpellier, France
commented
Issue summary: View changes

Updated issue summary.

duaelfr’s picture

duaelfr
he/him
Primary language French
Location Montpellier, France
commented
Issue summary: View changes

I just updated the drush script tohandle the change in the version number.

We got a new unsafe string!

#: core/modules/contextual/contextual.module:77
Hovering over the area of interest will temporarily make the contextual links button visible (which looks like a pencil in most themes, and is normally displayed in the upper right corner of the area). The icon typically looks like this: <img src="!pencil" alt="contextual links button" />

New sub-issue opened => #2371457: Replace inappropriate translatatable string in core/modules/contextual/contextual.module

duaelfr’s picture

duaelfr
he/him
Primary language French
Location Montpellier, France
commented

I updated the script to use the potx module to be more precise and to be able to run it from a D8 instance.
- old script : https://gist.github.com/DuaelFr/6040368/ae874bbffdcdd5b01a35de63906e05b9...
- new script : https://gist.github.com/DuaelFr/6040368

How to use it :

  1. Download the file to ~/.drush/i18n_check
  2. Clear drush cache
  3. Go to an installed drupal directory
  4. Run $drush i24k

You might see some errors due to the potx module recognising improper use of variables in translation methods but do not spend time on these and go to the real results that are formatted as follow :

#: /tmp/i18ncheck/core/file/involved:line
Untranslatable string

For some reason, when the string has been found in a yml file, the line shown by the script is always 0.

duaelfr’s picture

duaelfr
he/him
Primary language French
Location Montpellier, France
commented
Related issues: +#2371861: Strings including tokens in href or src attributes cannot be translated due to safeness check incompatibilities

Running the new version of the script I found two new untranslatable strings.

#: /tmp/i18ncheck/core/modules/locale/config/install/tour.tour.locale.yml:0

This page allows you to translate the user interface or modify existing translations. If you have installed your site initially in English, you must first add another language on the <a href="[site:url]/admin/config/regional/language">Languages page</a>, in order to use this page.

#: /tmp/i18ncheck/core/modules/locale/config/install/tour.tour.locale.yml:0

The translations you have made here will be used on your site's user interface. If you want to use them on another site or modify them on an external translation editor, you can <a href="[site:url]/admin/config/regional/translate/export">export them</a> to a .po file and <a href="[site:url]/admin/config/regional/translate/import">import them</a> later.

Digging a bit with the help of dawehner we found that Xss::filter was dropping tokens if they were part of an href (or maybe src) attribute because of the protection against "javascript:" things.

I opened a new issue to follow this particular case.
#2371861: Strings including tokens in href or src attributes cannot be translated due to safeness check incompatibilities

gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented
Title: [META] Fix unsafe core's translatable strings » [META] Fix unsafe core translatable strings
Issue tags: -D8MI-meta +sprint
gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented
Issue tags: -sprint

Let's put the individual issues on the sprint. Sorry that I put the meta on, it makes it hard to track, because this will always be in TODO and then suddenly go away, unlike the actual issues.

gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented
Issue tags: +language-ui

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

smustgrave’s picture

smustgrave commented
Status: Active » Postponed (maintainer needs more info)
Issue tags: +stale-issue-cleanup

Thank you for creating this issue to improve Drupal.

We are working to decide if this task is still relevant to a currently supported version of Drupal. There hasn't been any discussion here for over 8 years which suggests that this has either been implemented or is no longer relevant. Your thoughts on this will allow a decision to be made.

Since we need more information to move forward with this issue, the status is now Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

Thanks!

smustgrave’s picture

smustgrave commented

Wanted to bump 1 more time before closing.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.

smustgrave’s picture

smustgrave commented

All the child issues are closed so is this complete?