Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
- Now that we have SafeMarkup::escape(), which has more intelligence than String::checkPlain(), there's no reason not to use it within String::format().
- Doing so will allow '@' to be safely used for variables containing HTML without double-escaping.
Proposed resolution
See issue title and patch.
Remaining tasks
Review. Commit.
User interface changes
None.
API changes
Only a break for people who were passing already-escaped text/HTML as @ or % placeholder values and wanting that to get double-escaped. This is unlikely. Such places will now need to call String::checkPlain() themselves on those placeholders to achieve that double-escaping.
Beta phase evaluation
Issue category | Task because D7 always escaped these placeholders, so it's not yet been decided to do otherwise. |
---|---|
Issue priority | Major because it allows easy fixing of many double-escaping bugs left throughout Drupal. |
Disruption | Only disruptive for modules that are passing already escaped text and wanting it to get double escaped. They now need to be more explicit about wanting that. |
Comment | File | Size | Author |
---|---|---|---|
#12 | interdiff.txt | 925 bytes | effulgentsia |
#12 | string-format-autoescape-12.patch | 8.56 KB | effulgentsia |
#7 | interdiff.txt | 1.13 KB | effulgentsia |
#7 | string-format-autoescape-7.patch | 8.55 KB | effulgentsia |
#6 | interdiff.txt | 2.28 KB | effulgentsia |
Comments
Comment #1
Fabianx CreditAttribution: Fabianx commentedThat is a good idea to do regardless of what else we do.
Do we need additional tests for this?
Else this would be RTBC from my side.
Comment #2
effulgentsia CreditAttribution: effulgentsia commentedHere's the test addition, but without the change to
String
. The new test fails and I'm curious if there's any existing test to catch the double-escaping that would happen from the changes toinstall.core.inc
without the corresponding fix toString
.Comment #4
effulgentsia CreditAttribution: effulgentsia commentedWell, not surprising that we don't have full test coverage of the installer. Ok, taking those hunks out then, and attempting some changes that are more interesting. This is still without
String
changes, so I hope some tests catch these double-escaping problems.Comment #6
effulgentsia CreditAttribution: effulgentsia commentedGreat. At least some RDF tests are catching the double-escaping bugs. So, here's the original changes to
String
that fixes them. This patch therefore now demonstrates the key benefit of the change, which is we can start using@
even for variables that already contain rendered HTML.Comment #7
effulgentsia CreditAttribution: effulgentsia commentedSome docs improvements based on what I encountered today while working on this issue.
Comment #9
Fabianx CreditAttribution: Fabianx commentedNice work!
Comment #12
effulgentsia CreditAttribution: effulgentsia commentedWow. A test that fails based on just docs. Reworded the docs to not trigger that failure.
Comment #13
Fabianx CreditAttribution: Fabianx commentedLol, nice.
I re-reviewed the patch and this is RTBC.
The beta evaluation made me laugh :) - Yes, I really want to keep double-escaped text1111!!!!1111
j/k - Let's get this in.
Comment #14
amateescu CreditAttribution: amateescu commentedI think the changes in the twig files really show that this is a very nice idea/patch :) Since this is an area that is used a lot at runtime, are there any performance concerns for the switch from
String::checkPlain()
toSafeMarkup::escape()
?Just a very minor point here, "use" can go back up at the end of the previous line. Can be easily fixed on commit.
Comment #15
Fabianx CreditAttribution: Fabianx commented#14: One function call more overall, but if escaped already, saving the call to ::checkPlain().
So in the worst case one function call more, in the best case, saving the check_plain operation.
Comment #16
star-szrThis seems to make a lot of sense, thank you very much @effulgentsia!
Comment #17
alexpottNice. Committed b33a46b and pushed to 8.0.x. Thanks!
Thank you for adding the beta evaluation to issue summary.