Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Installer errors are double escaped. This issue is for handling the database settings form errors. Check screenshots:
Before
After
Proposed resolution
Use SafeMarkup function to correct escape error messages. And be sure that messages strings are safe using isSafe function. If they are not safe, then make them safe using checkPlain function.
Comment | File | Size | Author |
---|---|---|---|
#16 | fix_wrong_escaped-2346249-16.patch | 762 bytes | lauriii |
Comments
Comment #1
rteijeiro CreditAttribution: rteijeiro commentedComment #2
joelpittetAwesome, thank you @rteijeiro.
This makes sure that $result is safe before concatenating it and the resulting string is always safe before SafeMarkup::set() is called on it.
Comment #3
rteijeiro CreditAttribution: rteijeiro commentedTagging for DrupalConEur
Comment #4
webchickYEAH! So happy to have this fixed this before beta. :)
Committed and pushed to 8.x. Thanks!
Comment #6
Pere OrgaBut the code above will output only one error - the last one, right?
And why the
error
class was removed?Comment #8
jibranComment #9
Pere OrgaComment #10
joelpittet@Pere Orga is correct, this is wrong. Also we should just use
SafeMarkup::escape()
, then we don't need theuse String;
.Comment #11
Cristian.Andrei CreditAttribution: Cristian.Andrei commentedcreated a patch that took into account joelpittet's suggestions
Comment #12
Cristian.Andrei CreditAttribution: Cristian.Andrei commentedforgot to upload the screenshot that demonstrates multiple error messages being displayed after the patch has been submitted.
Comment #13
Cristian.Andrei CreditAttribution: Cristian.Andrei commentedComment #14
joelpittet@Cristian.Andrei thanks for the patch, the beauty of the SafeMarkup::escape() is that it does the isSafe() check inside it.
I'm not sure yet how best to deal with @Pere Orga's point, but it will likely need to be building up an array for $message and if all items are SafeMarkup::escape()'d we can SafeMarkup::set() the imploded array.
Comment #15
Cristian.Andrei CreditAttribution: Cristian.Andrei commented@joelpittet, you're welcome.
Can't help but wonder as to why would we need to build up an array for $message ? The functionality is there and it seems to work pretty much OK.
Comment #16
lauriiiComment #17
joelpittet@Cristian.Andrei
Because of this comment by @Pere Orga
Before the string was producing concatenated markup to build out the string. By concatenating another string onto the string marked safe it is no longer a safe string.
But actually you are totally right, this doesn't need to be an array, it can stay concatenation, I don't know what I was thinking:S
@lauriii mind tackling that?
Concatenate the $message string like before, leave the SafeMarkup::escape() as you have itt in #16 and SafeMarkup::set() the resulting $message. That way we won't get double escape, it will escape if necessary, and concatenated.
Comment #18
lauriiiCreated follow-up