Hi,

When I add a new content type and new fields, I get the below text under the textarea to specify allowed values. It seems a bit weird.

<p>The possible values this field can contain. Enter one value per line, in the format key|label.<br/>The key is the stored value. The label will be used in displayed values and edit forms.<br/>The label is optional: if a line contains a single string, it will be used as key and label.</p><p>Allowed HTML tags in labels: &lt;a&gt; &lt;b&gt; &lt;big&gt; &lt;code&gt; &lt;del&gt; &lt;em&gt; &lt;i&gt; &lt;ins&gt; &lt;pre&gt; &lt;q&gt; &lt;small&gt; &lt;span&gt; &lt;strong&gt; &lt;sub&gt; &lt;sup&gt; &lt;tt&gt; &lt;ol&gt; &lt;ul&gt; &lt;li&gt; &lt;p&gt; &lt;br&gt; &lt;img&gt;</p>

&lt; should be replaced with <, and &gt; with > for instance.

Regards,
K.

CommentFileSizeAuthor
#5 manage_fields__escaped_tags-storage.png36.91 KBorganicwire
#5 manage_fields__escaped_tags.png29.71 KBorganicwire
#4 wrong_markup-2344461-4.patch787 bytesscreon
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

webmorozov’s picture

webmorozov CreditAttribution: webmorozov commented
Version: 8.0.x-dev » 8.0.0-beta1
Issue tags: +Amsterdam2014

I was validate current issue and it's actual on my local env.
Issue isn't only with "< should be replaced with <" but other html tags like "p, br" should be rendered correctly.
Look at the allowedValuesDescription() functions and rendering of #description attribute in Form API.

static::checkPlain() used twice for description.

screon’s picture

screon CreditAttribution: screon commented

I'll take a look at it. Currently at DrupalCon A'dam.

If I can't figure it out, I'll change the assignee back to unassigned.

screon’s picture

screon CreditAttribution: screon commented
Assigned: Unassigned » screon
screon’s picture

screon CreditAttribution: screon commented
Assigned: screon » Unassigned
Status: Active » Needs review
FileSize
wrong_markup-2344461-4.patch787 bytes

Here's my (first ever) patch. The only thing that had to change was the twig template, it wasn't rendering the HTML because of the missing "raw" function.

organicwire’s picture

organicwire CreditAttribution: organicwire commented
Title: Wrong markup » Field configuration: Improperly escaped markup in #description fields
Status: Needs review » Needs work
FileSize
manage_fields__escaped_tags.png29.71 KB
manage_fields__escaped_tags-storage.png36.91 KB

The patch did not work for me. Which field type did you create?

I tried to reproduce using these steps:

  • create new content type
  • create new field, type "text (plain)" and "List (text)"
  • Edit field settings at admin/structure/types/manage/{NODE-TYPE}/fields/node.{NODE-TYPE}.field_{FIELD-NAME}
    OR
  • Edit field storage setting at admin/structure/types/manage/{NODE-TYPE}/fields/node.{NODE-TYPE}.field_{FIELD-NAME}/storage

Improperly escaped html still appears below the help field AND below the fields of allowed values. See attached screenshots.

Rade’s picture

Rade CreditAttribution: Rade commented

Related issue here that was fixed in another way #2346611: Wrong characters on field edit page

Rade’s picture

Rade CreditAttribution: Rade commented
Parent issue: » #2297711: Fix HTML escaping due to Twig autoescape
screon’s picture

screon CreditAttribution: screon commented

Should we close this and mark as duplicate?

organicwire’s picture

organicwire CreditAttribution: organicwire commented

It's not a complete duplicate. What #2346611 does solve its the markup of the help field. What it doesn't solve is the markup of the field "Allowed values list".

screon’s picture

screon CreditAttribution: screon commented

Ok, I'll try to expand my patch to support the other field types just to have a fallback option in case the other issues don't solve this completely.

jibran’s picture

jibran
he/him
Primary language Urdu
Location Sydney, Australia
CreditAttribution: jibran commented
Issue tags: +SafeMarkup
joelpittet’s picture

joelpittet
Primary language English
Location Vancouver
CreditAttribution: joelpittet commented
Issue tags: +Needs manual testing, +Novice 
+++ b/core/modules/system/templates/form-element.html.twig
@@ -50,7 +50,7 @@
-      {{ description.content }}
+      {{ description.content | raw }}

@@ -62,7 +62,7 @@
-      {{ description.content }}
+      {{ description.content | raw }}

This is A solution but we aren't doing that in core.

We need to know where the variable comes from before we can mark it as safe. This means we need to look up at where the description.content is being set and escaping it or at least XSS::filterAdmin() the value.

Also we may have fixed this already with #2324371: Fix common HTML escaped render #key values due to Twig autoescape Could you please confirm?

joelpittet’s picture

joelpittet
Primary language English
Location Vancouver
CreditAttribution: joelpittet commented
Version: 8.0.0-beta1 » 8.0.x-dev
Status: Needs work » Closed (duplicate)
Issue tags: -Needs manual testing, -Novice

Quickly tested this and it's a duplicate of #2324371: Fix common HTML escaped render #key values due to Twig autoescape which blanket fixed most of these.

Thanks for your help on this, and please re-open if you find these help descriptions are being HTML escaped improperly again.

Also note this is fixed in 8.0.x-dev and earlier than beta3 may still not have the fix. The fix will be available in the next beta3 or greater.