Afterhave proven that even battle hardened core developers can't write XSS free code we have introduced to fix a torrent of security holes already present in core known and unknown and to avoid the most frequent kind of sechole(Security Hole) in the history of Drupal contrib. However, this has broken some places that were already securely written, resulting in broken layout and HTML tags shown to users. We need to find those places and update them to be compatible with the new method.
fixed escaping globally and caused HTML escaping on places where we explicitly set HTML in a variable. This was expected. The patch was an absolute must and avoiding / fixing all paths would've taken a lot of time and made an already big patch impossible to review and commit.
Instead we have opted to go ahead with this and let people find the broken pages. If people would've cared to review patches this could've been avoided but we know this is a no-go so instead we forced it.
@ti2m found escaped strings on several paths:
Another (and the last) update on the crawled urls. I enabled all modules on a fresh install and crawled the site as user 1. I only found two more urls with escaped strings (first two in the list below). But the general problem is, that e.g. node edit forms aren't covered at all as no node exists on a vanilla install. I could post a file with all covered urls, roughly 300, if anyone is interested.
The total list of urls with escaped HTML strings that I found:
- All 'manage fields' pages (ref: Screenshot)
If at all possible move all markup into a Twig template. If not then please read https://www.drupal.org/node/2311123 for alternative solutions. See aneek's patch at for an example.
Change the offending pieces to properly use Twig templates or use inline templates as described in https://www.drupal.org/node/2311123 .