Problem/Motivation

Installer errors are double escaped. This issue is for handling the database settings form errors. Check screenshots:

Before

After

Proposed resolution

Use SafeMarkup function to correct escape error messages. And be sure that messages strings are safe using isSafe function. If they are not safe, then make them safe using checkPlain function.

Files: 
CommentFileSizeAuthor
#16 fix_wrong_escaped-2346249-16.patch762 byteslauriii
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 81,073 pass(es). View

Comments

rteijeiro’s picture

Issue summary: View changes
joelpittet’s picture

Assigned: rteijeiro » Unassigned
Status: Needs review » Reviewed & tested by the community
Issue tags: +Autoescape
Parent issue: #2317281: Double escaping of install errors » #2297711: Fix HTML escaping due to Twig autoescape
Related issues: +#2317281: Double escaping of install errors

Awesome, thank you @rteijeiro.

This makes sure that $result is safe before concatenating it and the resulting string is always safe before SafeMarkup::set() is called on it.

rteijeiro’s picture

Issue tags: +Amsterdam2014

Tagging for DrupalConEur

webchick’s picture

Status: Reviewed & tested by the community » Fixed

YEAH! So happy to have this fixed this before beta. :)

Committed and pushed to 8.x. Thanks!

  • webchick committed 64d6915 on 8.0.x
    Issue #2346249 by rteijeiro: Fixed wrong escaped errors in Installer -...
Pere Orga’s picture

       if (!$success) {
-        $message .= '<p class="error">' . $result  . '</p>';
+        $message = SafeMarkup::isSafe($result) ? $result : String::checkPlain($result);
       }

But the code above will output only one error - the last one, right?

And why the error class was removed?

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

jibran’s picture

Issue tags: +SafeMarkup
Pere Orga’s picture

Status: Closed (fixed) » Needs work
joelpittet’s picture

@Pere Orga is correct, this is wrong. Also we should just use SafeMarkup::escape(), then we don't need the use String;.

Cristian.Andrei’s picture

FileSize
802 bytes
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 80,975 pass(es). View

created a patch that took into account joelpittet's suggestions

Cristian.Andrei’s picture

forgot to upload the screenshot that demonstrates multiple error messages being displayed after the patch has been submitted.

Cristian.Andrei’s picture

Status: Needs work » Needs review
joelpittet’s picture

Status: Needs review » Needs work

@Cristian.Andrei thanks for the patch, the beauty of the SafeMarkup::escape() is that it does the isSafe() check inside it.

I'm not sure yet how best to deal with @Pere Orga's point, but it will likely need to be building up an array for $message and if all items are SafeMarkup::escape()'d we can SafeMarkup::set() the imploded array.

Cristian.Andrei’s picture

@joelpittet, you're welcome.

Can't help but wonder as to why would we need to build up an array for $message ? The functionality is there and it seems to work pretty much OK.

lauriii’s picture

Status: Needs work » Needs review
FileSize
762 bytes
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 81,073 pass(es). View
joelpittet’s picture

Status: Needs review » Needs work

@Cristian.Andrei
Because of this comment by @Pere Orga

But the code above will output only one error - the last one, right?

Before the string was producing concatenated markup to build out the string. By concatenating another string onto the string marked safe it is no longer a safe string.

But actually you are totally right, this doesn't need to be an array, it can stay concatenation, I don't know what I was thinking:S

@lauriii mind tackling that?
Concatenate the $message string like before, leave the SafeMarkup::escape() as you have itt in #16 and SafeMarkup::set() the resulting $message. That way we won't get double escape, it will escape if necessary, and concatenated.

lauriii’s picture

Created follow-up

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.