Problem/Motivation

drupal_set_message(t('whatever') is a common pattern in contrib. We are currently double-escaping this strings if they contain links, even if we use the recommended way ([#322774])

We need to allow this or document the proper way of getting the same message.

Proposed resolution

TBD

Remaining tasks

TBD

Comments

xjm’s picture

Category: Task » Bug report

Hm, this shouldn't be happening. Anything that goes through t() should be in the safe list.

penyaskito’s picture

Did a quick check, and cannot reproduce. I will check the original code that made this happen last time and see if I can reproduce it there.

webchick’s picture

I see it during install if there's an error:

Escaped HTML in error message.

iMiksu’s picture

I also get during installation when it reports that settings.php is not writeable.

sun’s picture

Priority: Major » Critical

Clearly a release blocker.

Damien Tournoud’s picture

Status: Active » Closed (duplicate)

See #2317281: Double escaping of install errors for the installation process.

drupal_set_message(t()) is not a problem by design.

jibran’s picture

Issue tags: +SafeMarkup
penyaskito’s picture

Issue summary: View changes
Status: Closed (duplicate) » Active
FileSize
31.41 KB

Sorry, but I'm reopening this one again.

      drupal_set_message($this->t('In order to translate configuration, the website must have at least two <a href="!url">languages</a>.', array('!url' => $this->url('entity.configurable_language.collection'))));

This code double-escapes the message, as seen on #2139185: Notify users when landing on config translation page with only one language listed:

Edited: wrong embedded image

penyaskito’s picture

Status: Active » Closed (duplicate)

Interesting,

       drupal_set_message($this->t('In order to translate configuration, the website must have at least two <a href="@url">languages</a>.', array('@url' => $this->url('entity.configurable_language.collection'))));

Using @uri instead of !uri works. I expected it to escape the uri, not the full string.
https://www.drupal.org/node/2445441 documents this properly.