Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Possible scope creep, but at some point we should change the "html" property as it is horribly misleading. In know in theory it means "this contains HTML, so trust me, really", but it's completely non-descriptive of what is *actually* implied, which is "don't check-plain me, trust me on the content".
Comment | File | Size | Author |
---|---|---|---|
#8 | drupal8.base-system.2070119-8.patch | 49.17 KB | RoSk0 |
#8 | interdiff-2070119-5-8.txt | 872 bytes | RoSk0 |
#5 | drupal8.base-system.2070119-5.patch | 49.17 KB | RoSk0 |
#2 | drupal8.base-system.2070119-2.patch | 32.38 KB | RoSk0 |
Comments
Comment #1
RoSk0Started to work.
Comment #2
RoSk0Initial patch.
Comment #4
dawehnerIf you have specified 'html' it did not escaped before. Now this parameter is called 'escape' so isn't the behavior expected to be the other way round? Tip: Provide TRUE as default value.
Comment #5
RoSk0@dawehner: Thanks. Looks like didn't get the task completely from first time.
New patch.
Comment #6
RoSk0For test bot.
Comment #8
RoSk0New patch version.
Comment #9
dawehner8: drupal8.base-system.2070119-8.patch queued for re-testing.
Comment #12
Damien Tournoud CreditAttribution: Damien Tournoud commentedThis is totally backwards.
html
is exactly the right name for the property.escape
orsanitize
or any variation of it just keeps the confusion between security and encoding.Because you know, it is *not* about security. It's about two different types of strings:
This is confusing the hell out of people (for example [1] and [2]), and we should not promote the confusion.
html: true or false
makes perfect sense and do precisely what it says.Comment #13
pounardhtml
may makes perfect sense, but for someone reading the documentation for the first time,escape
is clearer because more commonly used. In order to understand the sense ofhtml
here you actually have to explain it! Whileescape
means what it means: do or don't fuck up my input string, no matter how. I think thatescape
with a default to true is actually way clearer for newcommers and people reading the doc. Anyway, the output of the function will always behtml
and this setting makes no sense at first glance because as a documentation reader, I could question it this way: how do the fuck this function might not return HTML at all?; It's a probable confusion. Withescape
everything makes it clearer.Comment #14
Damien Tournoud CreditAttribution: Damien Tournoud commented@pounard:
escape
(or the other widely usedsanitize
) need to explain what they do just the same. Are they transforming plain-text to HTML (what is typically called "escaping") or do they remove harmful bits from HTML (what is typically called "sanitizing")?Which one of those is correct, and how does that depends on the value of the
escape
parameter?Comment #15
Damien Tournoud CreditAttribution: Damien Tournoud commentedIf the only problem is that it's unclear that
html
applies to the input only, let's just rename it tohtml_text
orhtml_input
.Let's not lose sight that it is about the type of the input, not what the function does with it (and obviously, it would be way easier if we had strong types like PlainTextString and HtmlString, both extending String).
Comment #16
Fabianx CreditAttribution: Fabianx commentedComment #22
Anonymous (not verified) CreditAttribution: Anonymous commentedPer #16.