Possible scope creep, but at some point we should change the "html" property as it is horribly misleading. In know in theory it means "this contains HTML, so trust me, really", but it's completely non-descriptive of what is *actually* implied, which is "don't check-plain me, trust me on the content".

CommentFileSizeAuthor
#8 drupal8.base-system.2070119-8.patch49.17 KBRoSk0
#8 interdiff-2070119-5-8.txt872 bytesRoSk0
#5 drupal8.base-system.2070119-5.patch49.17 KBRoSk0
#2 drupal8.base-system.2070119-2.patch32.38 KBRoSk0
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

RoSk0’s picture

RoSk0
he/him
Primary language Russian
Location Wellington
CreditAttribution: RoSk0 commented
Assigned: Unassigned » RoSk0

Started to work.

RoSk0’s picture

RoSk0
he/him
Primary language Russian
Location Wellington
CreditAttribution: RoSk0 commented
Status: Active » Needs review
FileSize
drupal8.base-system.2070119-2.patch32.38 KB

Initial patch.

Status: Needs review » Needs work

The last submitted patch, drupal8.base-system.2070119-2.patch, failed testing.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented 
+++ b/core/includes/theme.inc
@@ -1704,9 +1704,9 @@ function theme_links($variables) {
-        $item = ($link['html'] ? $link['title'] : check_plain($link['title']));
+        $item = ($link['escape'] ? $link['title'] : check_plain($link['title']));

If you have specified 'html' it did not escaped before. Now this parameter is called 'escape' so isn't the behavior expected to be the other way round? Tip: Provide TRUE as default value.

RoSk0’s picture

RoSk0
he/him
Primary language Russian
Location Wellington
CreditAttribution: RoSk0 commented
FileSize
drupal8.base-system.2070119-5.patch49.17 KB

@dawehner: Thanks. Looks like didn't get the task completely from first time.
New patch.

RoSk0’s picture

RoSk0
he/him
Primary language Russian
Location Wellington
CreditAttribution: RoSk0 commented
Status: Needs work » Needs review

For test bot.

Status: Needs review » Needs work

The last submitted patch, drupal8.base-system.2070119-5.patch, failed testing.

RoSk0’s picture

RoSk0
he/him
Primary language Russian
Location Wellington
CreditAttribution: RoSk0 commented
Status: Needs work » Needs review
FileSize
interdiff-2070119-5-8.txt872 bytes
drupal8.base-system.2070119-8.patch49.17 KB

New patch version.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented

8: drupal8.base-system.2070119-8.patch queued for re-testing.

Status: Needs review » Needs work

The last submitted patch, 8: drupal8.base-system.2070119-8.patch, failed testing.

The last submitted patch, 8: drupal8.base-system.2070119-8.patch, failed testing.

Damien Tournoud’s picture

Damien Tournoud CreditAttribution: Damien Tournoud commented

Possible scope creep, but at some point we should change the "html" property as it is horribly misleading. In know in theory it means "this contains HTML, so trust me, really", but it's completely non-descriptive of what is *actually* implied, which is "don't check-plain me, trust me on the content".

This is totally backwards. html is exactly the right name for the property. escape or sanitize or any variation of it just keeps the confusion between security and encoding.

Because you know, it is *not* about security. It's about two different types of strings:

  • Plain-text strings on one side, that have to be encoded to be displayed in an HTML context (but not in a plain-text context like say, a CSV export);
  • HTML strings on the other, that can contain HTML markup. Those do not need to be encoded to be displayed in an HTML context but might have to be sanitized. Those cannot be displayed in a plain-text context, other then approximately (which is the role of drupal_html_to_text).

This is confusing the hell out of people (for example [1] and [2]), and we should not promote the confusion. html: true or false makes perfect sense and do precisely what it says.

pounard’s picture

pounard
Primary language French
CreditAttribution: pounard commented

html may makes perfect sense, but for someone reading the documentation for the first time, escape is clearer because more commonly used. In order to understand the sense of html here you actually have to explain it! While escape means what it means: do or don't fuck up my input string, no matter how. I think that escape with a default to true is actually way clearer for newcommers and people reading the doc. Anyway, the output of the function will always be html and this setting makes no sense at first glance because as a documentation reader, I could question it this way: how do the fuck this function might not return HTML at all?; It's a probable confusion. With escape everything makes it clearer.

Damien Tournoud’s picture

Damien Tournoud CreditAttribution: Damien Tournoud commented

@pounard: escape (or the other widely used sanitize) need to explain what they do just the same. Are they transforming plain-text to HTML (what is typically called "escaping") or do they remove harmful bits from HTML (what is typically called "sanitizing")?

Which one of those is correct, and how does that depends on the value of the escape parameter?

  • I need to pass plain-text.
  • I need to pass HTML.
  • I need to pass safe HTML.
Damien Tournoud’s picture

Damien Tournoud CreditAttribution: Damien Tournoud commented

If the only problem is that it's unclear that html applies to the input only, let's just rename it to html_text or html_input.

Let's not lose sight that it is about the type of the input, not what the function does with it (and obviously, it would be way easier if we had strong types like PlainTextString and HtmlString, both extending String).

Fabianx’s picture

Fabianx CreditAttribution: Fabianx commented
Issue summary: View changes
Related issues: +#2273923: Remove html => TRUE option from l() and link generator.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Status: Needs work » Closed (duplicate)

Per #16.