Problem/Motivation

Installer errors are double escaped. This issue is for handling the database settings form errors. Check screenshots:

Before

After

Proposed resolution

Use SafeMarkup function to correct escape error messages. And be sure that messages strings are safe using isSafe function. If they are not safe, then make them safe using checkPlain function.

CommentFileSizeAuthor
#16 fix_wrong_escaped-2346249-16.patch762 byteslauriii
#12 fix_wrong_escaped_screenshot.png99.62 KBCristian.Andrei
#11 fix_wrong_escaped-2346249-11.patch802 bytesCristian.Andrei
fix-install-database-errors.patch1.32 KBrteijeiro
install-error.png61.35 KBrteijeiro
install-errors-no-escaped.png71.74 KBrteijeiro
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

rteijeiro’s picture

rteijeiro CreditAttribution: rteijeiro commented
Issue summary: View changes
joelpittet’s picture

joelpittet
Primary language English
Location Vancouver
CreditAttribution: joelpittet commented
Assigned: rteijeiro » Unassigned
Status: Needs review » Reviewed & tested by the community
Issue tags: +Autoescape
Parent issue: #2317281: Double escaping of install errors » #2297711: Fix HTML escaping due to Twig autoescape
Related issues: +#2317281: Double escaping of install errors

Awesome, thank you @rteijeiro.

This makes sure that $result is safe before concatenating it and the resulting string is always safe before SafeMarkup::set() is called on it.

rteijeiro’s picture

rteijeiro CreditAttribution: rteijeiro commented
Issue tags: +Amsterdam2014

Tagging for DrupalConEur

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
Status: Reviewed & tested by the community » Fixed

YEAH! So happy to have this fixed this before beta. :)

Committed and pushed to 8.x. Thanks!

  • webchick committed 64d6915 on 8.0.x 
    Issue #2346249 by rteijeiro: Fixed wrong escaped errors in Installer -...
Pere Orga’s picture

Pere Orga
Primary language Catalan
CreditAttribution: Pere Orga commented 
       if (!$success) {
-        $message .= '<p class="error">' . $result  . '</p>';
+        $message = SafeMarkup::isSafe($result) ? $result : String::checkPlain($result);
       }

But the code above will output only one error - the last one, right?

And why the error class was removed?

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

jibran’s picture

jibran
he/him
Primary language Urdu
Location Sydney, Australia
CreditAttribution: jibran commented
Issue tags: +SafeMarkup
Pere Orga’s picture

Pere Orga
Primary language Catalan
CreditAttribution: Pere Orga commented
Status: Closed (fixed) » Needs work
joelpittet’s picture

joelpittet
Primary language English
Location Vancouver
CreditAttribution: joelpittet commented

@Pere Orga is correct, this is wrong. Also we should just use SafeMarkup::escape(), then we don't need the use String;.

Cristian.Andrei’s picture

Cristian.Andrei CreditAttribution: Cristian.Andrei commented
FileSize
fix_wrong_escaped-2346249-11.patch802 bytes

created a patch that took into account joelpittet's suggestions

Cristian.Andrei’s picture

Cristian.Andrei CreditAttribution: Cristian.Andrei commented
FileSize
fix_wrong_escaped_screenshot.png99.62 KB

forgot to upload the screenshot that demonstrates multiple error messages being displayed after the patch has been submitted.

Cristian.Andrei’s picture

Cristian.Andrei CreditAttribution: Cristian.Andrei commented
Status: Needs work » Needs review
joelpittet’s picture

joelpittet
Primary language English
Location Vancouver
CreditAttribution: joelpittet commented
Status: Needs review » Needs work

@Cristian.Andrei thanks for the patch, the beauty of the SafeMarkup::escape() is that it does the isSafe() check inside it.

I'm not sure yet how best to deal with @Pere Orga's point, but it will likely need to be building up an array for $message and if all items are SafeMarkup::escape()'d we can SafeMarkup::set() the imploded array.

Cristian.Andrei’s picture

Cristian.Andrei CreditAttribution: Cristian.Andrei commented

@joelpittet, you're welcome.

Can't help but wonder as to why would we need to build up an array for $message ? The functionality is there and it seems to work pretty much OK.

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
CreditAttribution: lauriii commented
Status: Needs work » Needs review
FileSize
fix_wrong_escaped-2346249-16.patch762 bytes
joelpittet’s picture

joelpittet
Primary language English
Location Vancouver
CreditAttribution: joelpittet commented
Status: Needs review » Needs work

@Cristian.Andrei
Because of this comment by @Pere Orga

But the code above will output only one error - the last one, right?

Before the string was producing concatenated markup to build out the string. By concatenating another string onto the string marked safe it is no longer a safe string.

But actually you are totally right, this doesn't need to be an array, it can stay concatenation, I don't know what I was thinking:S

@lauriii mind tackling that?
Concatenate the $message string like before, leave the SafeMarkup::escape() as you have itt in #16 and SafeMarkup::set() the resulting $message. That way we won't get double escape, it will escape if necessary, and concatenated.

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
CreditAttribution: lauriii commented
Status: Needs work » Fixed
Related issues: +#2374847: Only last one of the database settings form errors is being printed

Created follow-up

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.