Locked view warning message rendering as code [#2478845]

Problem/Motivation

When I try to edit a view that I'm editing when logged in elsewhere, I get the expected locked view error message. The message, however, renders as code, rather than formatted. This means that the release lock link is not clickable, and for someone who doesn't know HTML, this might be intimidating.

Steps to reproduce:

Have two browsers open. Edit a view in one browser, and leave the view in edit mode.
Go to the other browser, edit the view.
Make a change to the view. You will see the locked view error message come up.

locked view error message

Proposed resolution

I believe this is the same issue as this one:
https://www.drupal.org/node/2309215
and can be resolved the same way.

My apologies if there is already an issue filed for this that I did not find in my search.

Comment	File	Size	Author
#9	Screen Shot 2015-09-25 at 08.40.47.png	37.55 KB	mr.baileys
#1	2478845-1.patch	816 bytes	olli
#1
	Images__Content____d8or.png	94.85 KB	rainbreaw

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

olli CreditAttribution: olli commented 14 May 2015 at 16:01

Version:	8.0.0-beta9	» 8.0.x-dev
Status:	Active	» Needs review
Issue tags:		+SafeMarkup

File	Size
2478845-1.patch	816 bytes

The problem seems to be in formatInterval when there is more than one component (for example "5 days 31 min").

Comment #2

manauwarsheikh CreditAttribution: manauwarsheikh commented 23 May 2015 at 16:33

Status:	Needs review	» Reviewed & tested by the community
Issue tags:		+#SrijanSprintDay

Seems fine after applying latest patch, marking to RTBC.

Comment #3

RavindraSingh CreditAttribution: RavindraSingh as a volunteer and at Srijan | A Material+ Company commented 24 May 2015 at 07:26

Status:	Reviewed & tested by the community	» Needs work
Issue tags:		+Needs tests

Test needs after updating code to

+use Drupal\Component\Utility\SafeMarkup;
 use Drupal\Component\Utility\Xss;
 use Drupal\Core\Config\ConfigFactoryInterface;
 use Drupal\Core\Datetime\DrupalDateTime;
@@ -189,7 +190,7 @@ public function formatInterval($interval, $granularity = 2, $langcode = NULL) {
         break;
       }
     }
-    return $output ? $output : $this->t('0 sec', array(), array('langcode' => $langcode));
+    return $output ? SafeMarkup::set($output) : $this->t('0 sec', array(), array('langcode' => $langcode));
   }
 
   /**

Comment #4

joelpittet

English

Vancouver

CreditAttribution: joelpittet as a volunteer and for Drupal Association commented 5 June 2015 at 16:35

Parent issue:

» #2297711: Fix HTML escaping due to Twig autoescape

Setting parent meta.

Comment #5

joelpittet

English

Vancouver

CreditAttribution: joelpittet as a volunteer and for Drupal Association commented 5 June 2015 at 16:38

+++ b/core/lib/Drupal/Core/Datetime/DateFormatter.php
@@ -189,7 +190,7 @@ public function formatInterval($interval, $granularity = 2, $langcode = NULL) {
+    return $output ? SafeMarkup::set($output) : $this->t('0 sec', array(), array('langcode' => $langcode));

Can you use SafeMarkup::escape() here? We are avoiding using SafeMarkup::set() as part of this issue #2280965: [meta] Remove every SafeMarkup::set() call. At the very least this needs to be documented why $output is considered safe.

Where is the $output coming from?

Comment #6

joelpittet

English

Vancouver

CreditAttribution: joelpittet as a volunteer and for Drupal Association commented 5 June 2015 at 16:40

Sorry escape isn't a viable solution, I was looking just at the patch. Here's the context for the concatenation build up of output.

  public function formatInterval($interval, $granularity = 2, $langcode = NULL) {
    $output = '';
    foreach ($this->units as $key => $value) {
      $key = explode('|', $key);
      if ($interval >= $value) {
        $output .= ($output ? ' ' : '') . $this->formatPlural(floor($interval / $value), $key[0], $key[1], array(), array('langcode' => $langcode));
        $interval %= $value;
        $granularity--;
      }

      if ($granularity == 0) {
        break;
      }
    }
    return $output ? $output : $this->t('0 sec', array(), array('langcode' => $langcode));
  }

Comment #7

joelpittet

English

Vancouver

CreditAttribution: joelpittet as a volunteer and for Drupal Association commented 8 June 2015 at 15:57

Status:

Needs work

» Postponed

I'm going to add this to the postponed list till we figure out this joining issue:
#2501975: Determine how to update code that currently joins strings in SafeMarkup::set()

Comment #8

akalata CreditAttribution: akalata commented 13 August 2015 at 18:14

Status:

Postponed

» Needs work

No longer blocked, though the discussion in #2501975: Determine how to update code that currently joins strings in SafeMarkup::set() might be valuable to identify the best solution in this case.

Comment #9

mr.baileys

Dutch

🇧🇪 (Ghent)

CreditAttribution: mr.baileys at Calibrate commented 25 September 2015 at 06:44

File	Size
Screen Shot 2015-09-25 at 08.40.47.png	37.55 KB

Looks like this was fixed in head, as I'm no longer seeing the escaped locked message with current HEAD.

Text on locked message no longer escaped.

The only thing left might be to write a test, although I assume we are not going to test for double-escaping all over the place. It does seem that there is no test for the locked message itself though, so maybe we can add that (which will then implicitly also test for the double-escaping).

Comment #10

akalata CreditAttribution: akalata commented 26 September 2015 at 10:52

Status:	Needs work	» Closed (duplicate)
Related issues:		+#2506479: Replace !placeholder with @placeholder for non URLs in t() in Views, except for t() output that is used as an attribute value

Thanks for finding that mr.baileys! With some research I found this was resolved in #2506479: Replace !placeholder with @placeholder for non URLs in t() in Views, except for t() output that is used as an attribute value. If you'd like to follow up on the test for the revision message, that should be a separate issue.