Problem/Motivation

drupal_set_message(t('whatever') is a common pattern in contrib. We are currently double-escaping this strings if they contain links, even if we use the recommended way ([#322774])

We need to allow this or document the proper way of getting the same message.

Proposed resolution

TBD

Remaining tasks

TBD

Members fund testing for the Drupal project. Drupal Association Learn more

Comments

xjm’s picture

Category: Task » Bug report

Hm, this shouldn't be happening. Anything that goes through t() should be in the safe list.

penyaskito’s picture

Did a quick check, and cannot reproduce. I will check the original code that made this happen last time and see if I can reproduce it there.

webchick’s picture

I see it during install if there's an error:

Escaped HTML in error message.

iMiksu’s picture

I also get during installation when it reports that settings.php is not writeable.

sun’s picture

Priority: Major » Critical

Clearly a release blocker.

Damien Tournoud’s picture

Status: Active » Closed (duplicate)

See #2317281: Double escaping of install errors for the installation process.

drupal_set_message(t()) is not a problem by design.

jibran’s picture

Issue tags: +SafeMarkup
penyaskito’s picture

Issue summary: View changes
Status: Closed (duplicate) » Active
FileSize
31.41 KB

Sorry, but I'm reopening this one again.

      drupal_set_message($this->t('In order to translate configuration, the website must have at least two <a href="!url">languages</a>.', array('!url' => $this->url('entity.configurable_language.collection'))));

This code double-escapes the message, as seen on #2139185: Notify users when landing on config translation page with only one language listed:

Edited: wrong embedded image

penyaskito’s picture

Status: Active » Closed (duplicate)

Interesting,

       drupal_set_message($this->t('In order to translate configuration, the website must have at least two <a href="@url">languages</a>.', array('@url' => $this->url('entity.configurable_language.collection'))));

Using @uri instead of !uri works. I expected it to escape the uri, not the full string.
https://www.drupal.org/node/2445441 documents this properly.