Hi,
When I add a new content type and new fields, I get the below text under the textarea to specify allowed values. It seems a bit weird.
<p>The possible values this field can contain. Enter one value per line, in the format key|label.<br/>The key is the stored value. The label will be used in displayed values and edit forms.<br/>The label is optional: if a line contains a single string, it will be used as key and label.</p><p>Allowed HTML tags in labels: <a> <b> <big> <code> <del> <em> <i> <ins> <pre> <q> <small> <span> <strong> <sub> <sup> <tt> <ol> <ul> <li> <p> <br> <img></p>
<
should be replaced with <, and >
with > for instance.
Regards,
K.
Comment | File | Size | Author |
---|---|---|---|
#5 | manage_fields__escaped_tags-storage.png | 36.91 KB | organicwire |
#5 | manage_fields__escaped_tags.png | 29.71 KB | organicwire |
#4 | wrong_markup-2344461-4.patch | 787 bytes | screon |
Comments
Comment #1
webmorozov CreditAttribution: webmorozov commentedI was validate current issue and it's actual on my local env.
Issue isn't only with "< should be replaced with <" but other html tags like "p, br" should be rendered correctly.
Look at the allowedValuesDescription() functions and rendering of #description attribute in Form API.
static::checkPlain() used twice for description.
Comment #2
screon CreditAttribution: screon commentedI'll take a look at it. Currently at DrupalCon A'dam.
If I can't figure it out, I'll change the assignee back to unassigned.
Comment #3
screon CreditAttribution: screon commentedComment #4
screon CreditAttribution: screon commentedHere's my (first ever) patch. The only thing that had to change was the twig template, it wasn't rendering the HTML because of the missing "raw" function.
Comment #5
organicwire CreditAttribution: organicwire commentedThe patch did not work for me. Which field type did you create?
I tried to reproduce using these steps:
OR
Improperly escaped html still appears below the help field AND below the fields of allowed values. See attached screenshots.
Comment #6
Rade CreditAttribution: Rade commentedRelated issue here that was fixed in another way #2346611: Wrong characters on field edit page
Comment #7
Rade CreditAttribution: Rade commentedComment #8
screon CreditAttribution: screon commentedShould we close this and mark as duplicate?
Comment #9
organicwire CreditAttribution: organicwire commentedIt's not a complete duplicate. What #2346611 does solve its the markup of the help field. What it doesn't solve is the markup of the field "Allowed values list".
Comment #10
screon CreditAttribution: screon commentedOk, I'll try to expand my patch to support the other field types just to have a fallback option in case the other issues don't solve this completely.
Comment #11
jibranComment #12
joelpittetThis is A solution but we aren't doing that in core.
We need to know where the variable comes from before we can mark it as safe. This means we need to look up at where the description.content is being set and escaping it or at least XSS::filterAdmin() the value.
Also we may have fixed this already with #2324371: Fix common HTML escaped render #key values due to Twig autoescape Could you please confirm?
Comment #13
joelpittetQuickly tested this and it's a duplicate of #2324371: Fix common HTML escaped render #key values due to Twig autoescape which blanket fixed most of these.
Thanks for your help on this, and please re-open if you find these help descriptions are being HTML escaped improperly again.
Also note this is fixed in 8.0.x-dev and earlier than beta3 may still not have the fix. The fix will be available in the next beta3 or greater.