Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem
- #1798654: Clean faulty HTML in help description of field widgets changed most/all administrative Field UI strings to be additionally normalized into proper HTML upon output.
- The entire rest of Drupal's configuration and administrative interface (1) actively assumes that the user knows HTML and (2) administrative input is solely protected by
Xss::filterAdmin()
. - That difference presents a major inconsistency with regard to how HTML snippets in administrative settings are output.
Solution A
- Consistently apply the concept of
Html::normalize(Xss::filterAdmin($html))
everywhere.
Solution B
- Revert the changes of #1798654: Clean faulty HTML in help description of field widgets and stick with
Xss::filterAdmin()
only.
Comments
Comment #1
amateescu CreditAttribution: amateescu commentedFor anyone scratching their head at the sight of
Html::normalize(Xss::filterAdmin($html))
, it's worth noting that solution A depends on #2195745: Replace _filter_htmlcorrector() with a utility class in core.Comment #2
yoroy CreditAttribution: yoroy at Wunder commentedAppreciate the usability tag but not sure what we can contribute here.
Comment #4
xjmComment #5
xjm@alexpott, @effulgentsia, @Cottser, @catch, and I agreed that this issue is a task. We decided to defer triaging whether it is a major task.
This improvement might be a partial fix for at least one bug: #2793141: Settings Tray, Contextual Links, and Toolbar sub-tray disappear if there is slightly broken HTML on the page
Comment #16
xjm