Closed (fixed)
Project:
Entity API
Version:
7.x-1.x-dev
Component:
Views integration
Priority:
Normal
Category:
Bug report
Assigned:
Issue tags:
Reporter:
Created:
3 Nov 2013 at 11:24 UTC
Updated:
23 Apr 2014 at 19:09 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #1
webchickUm.
Comment #2
eliza411 commentedI'm trying to help assure that critical issues get the attention they need, and by Drupal.org standards, critical means "keeping people from getting work done" (or security). Since this is neither, I'm setting the status back to normal.
I'm also tagging and putting in the "needs review" status, since this post so eloquently confirms the issue.
Comment #3
webchickMy mistake. Looks like JS isn't parsed: https://drupal.org/project/issues/search/1481160 Would help if I read the description before freaking out. :D
Comment #4
drummUnpublishing because this seems like a security issue with one of the underlying modules.
Comment #5
drummOh, I just read the entire issue summary too, so not actually a security issue.
SearchAPI uses EntityAPI for Views. I think the relevant code is in
EntityFieldHandlerHelper::render(), http://drupalcode.org/project/entity.git/blob/refs/heads/7.x-1.x:/views/...Either
$handler->get_value($values);should return the value more-filtered, which may have side effects; orarray('html' => TRUE)should be taken out ofrender_entity_link()Comment #6
damien tournoud commentedThe problem is that
entity_views_handler_field_textassumes that the input is HTML, and runs it through:In general, the difference between plaintext and HTML doesn't seem to have been properly thought through in the Entity API views integration.
Looking at the field handlers, defined in
entity_views_get_field_handlers():... it seems like the intent was that
entity_views_handler_field_texthandles only plain-text. So we could change this$this->sanitize_value($value, 'xss');into a$this->sanitize_value($value);. But this is going to break any text field that is actually meant to contain some HTML.For example, the
$node->logproperty apparently is meant to be HTML (even if it is not documented anywhere), because it is passed tofilter_xss()innode_revision_overview():Alternatively, we could introduce a
'html' => TRUEkey in the property info of type'text'and properly handle that, but whatever default value we give to this property we are bound to break stuff.Comment #7
fago'html' => TRUEYeah, something like this seems to be feasible - however I'm not sure it's necessary to do do it now for d7, though.
In Entity API property info we've already keys 'sanitzed', 'sanitze', together with the wrapper's options 'decode' and 'sanitize' it should be sufficient to control the output to be plain text or sanitized html.
So afaik making use of the wrapper's sanitization method in the views field handler combined with providing 'check_plain' as method should be enough.
Comment #8
tvn commentedChanging status per #2.
Comment #9
klonos...coming from the now closed as a dupe of this one #2156041: Display issue titles that contain html tags properly in the issue queue.
Here's a screenshot from that issue of how #550428: Tags like " " or "<p> </p>" or "<br />" added to empty textareas. is displayed in the issue queue:
Comment #10
drummComment #11
valthebaldComment #12
valthebaldI actually don't think this belongs either to EntityAPI or views. It is legitimate for site builders to defined view fields that can contain HTML.
Concerning d.o. implementation, Summary field should be with the following settings:
Comment #13
valthebaldComment #14
valthebaldComment #15
valthebaldComment #16
tvn commentedComment #17
tvn commentedComment #18
tvn commentedWe discussed this with fago, klauis, jthorson and valthebald. The conclusion was to modify generic views handler to be more context aware and check_plain() the output.
Comment #19
drummDoes #18 move this back to Entity API?
Comment #20
tvn commentedIt does!
Comment #21
tvn commentedComment #22
Désiré commentedComment #23
Désiré commentedAfter a long discussion with valthebald we pointed out that it will be enough to add a getter callback to the node title, which will run it trough on check_plain().
Comment #25
Désiré commentedIv'e updated the tests for this:
I talked about this with valthebald and we found out, that however the title should be sanitized by default, we should have a way to get the raw value. The tests now cover these needs.
(The attached patch should fail, it don't contains the previous fix.)
Comment #27
Désiré commentedHere is the full patch, with a getter callback, and a raw getter callback.
Comment #28
Désiré commentedComment #29
Désiré commentedThe last patch contains an accidental kpr() call. But why didn't it break the test?
Here is the fixed one.
Comment #30
valthebaldThat's almost good, but please add a docblock for entity_node_get_raw_title()
Comment #31
Désiré commentedOh.. sorry, here is the new version.
Comment #32
Désiré commentedComment #33
valthebaldLooks great to me.
@klausi: we have discussed and tried alternatives to the approach implemented in the last patch (like pass parameters to entity_views_handler_field_text::render_single_value() via hook_entity_property_info() in node.info.inc, but it render() has no direct access to entity definition.
Comment #34
valthebaldComment #35
fagoNope, that's not how the API works.
This is how it's working. The existing test coverage shows the problem is not in the wrapper / property info.
Comment #36
fagoit's probably the views handler not leveraging wrapper sanitization, i.e. entity_views_handler_field_text (or even more handlers) should use it.
Comment #37
fagoSat together with drunken_monkey to see how to fix this. Attached patch should be the right fix - but it needs testing. Also, there are more sanitize_value() calls in other field handler classes which need to be removed and get replaced by the comment now. Sanitization is taken care of by the wrapper now.
We should verify this change does not break HTML output of e.g. body fields (it should be fine though).
Comment #38
fagoops, please use this patch.
Comment #39
Désiré commentedI have tested the patch from #38, it works well, the titles will be sanitized, the body texts will be displayed with the right text format.
Should we change the other handlers in this issue, or should we open a new one?
Comment #41
fagoGreat! It should be changed here, else it might become double sanitized for others.
Comment #42
Désiré commentedComment #43
valthebaldTest hiccup? Marking for retest
Comment #44
valthebaldOh, and I confirm #38 solves d.o. issue (tested on https://sprint1-drupal.redesign.devdrupal.org/project/issues/search?proj... sandbox)
Comment #45
Désiré commentedI have added the same lines to the other field handlers, but not tested it yet, also I'm not sure they are good everywhere.
Comment #46
Désiré commentedComment #47
Désiré commentedThe last patch passed, but I'm still not sure, that all the field handler are working right now. Can anyone suggest some scenarios which will check them?
Comment #48
fagoShould have a comment why it does no sanitization here.
This seems wrong, render does more than just sanitization. In the case of numbers I guess we can get away with just double sanitize.
Again render does more.
For testing, best create a search api view that lists entities that have properties of each type + display them. Not sure which entity type would be best here.
Comment #49
Désiré commentedI have reverted the render() calls, and added the comment.
I'm also created a veiw for testing, here is how it looks:
Comment #50
Désiré commentedComment #51
valthebaldHaving sanitize_value() removed from entity_views_handler_field_duration::render_single_value(), I think there's no reason for $value to sit on separate line of code.
Otherwise, looks fine for me (and still solves issue queue issue)
Comment #52
Désiré commentedYes, I agree, but I think that neither
or
are better.
Comment #53
valthebaldMakes sense. RTBC then?
Comment #55
fagoThanks, patch looks good and the results also. Thanks, for taking the time to properly test this also!
Committed.
Comment #56
tvn commentedExcellent! Thanks everyone!
Comment #58
drummEntity 1.5 is now deployed on Drupal.org.
Comment #59
tvn commentedHooray!