Problem/Motivation

Follow-up to #2273925: Ensure #markup is XSS escaped in Renderer::doRender()

+++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
@@ -94,7 +94,7 @@ public static function preRenderHtmlTag($element) {
     if (!empty($element['#noscript'])) {
-      $element['#markup'] = '<noscript>' . $markup . '</noscript>';
+      $element['#markup'] = SafeMarkup::format('<noscript>!markup</noscript>', array('!markup' => $markup));
     }

Needs followup: the #noscript element is not documented at alllll

Proposed resolution

Document it

Remaining tasks

Do it

User interface changes

None

API changes

None

Beta phase evaluation

Reference: https://www.drupal.org/core/beta-changes
Issue category Bug (adding missing documentation).
Issue priority Minor, but wanted for a critical
Unfrozen changes Unfrozen because it only changes documentation.
Disruption Not disruptive.
CommentFileSizeAuthor
#16 document_noscript_element-2494293-16.patch679 bytesumarzaffer
#12 document_noscript_element-2494293-11.patch563 bytesashutoshsngh
#7 document_noscript_element-2494293-7.patch1.05 KBumarzaffer
#6 document_noscript_element-2494293-6.patch1.05 KBumarzaffer
#3 document_noscript_element-2494293-3.patch1.05 KBpguillard
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Related issues: +#2273925: Ensure #markup is XSS escaped in Renderer::doRender()
xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Related issues: +#2494297: [no patch] Consolidate change records relating to safe markup and filtering/escaping to ensure cross references exist
pguillard’s picture

pguillard CreditAttribution: pguillard commented
FileSize
document_noscript_element-2494293-3.patch1.05 KB

I wonder about that one:

+   *   - #noscript: A flag indicating if the tag should be inserted in a
+   *     <noscript> element, for users that have disabled scripts in their
+   *     browser or have a browser that doesn't support script.

Maybe too long, maybe not a flag..

Hope it helps anyway...

pguillard’s picture

pguillard CreditAttribution: pguillard commented
Status: Active » Needs review
joelpittet’s picture

joelpittet
Primary language English
Location Vancouver
CreditAttribution: joelpittet as a volunteer and for Drupal Association commented
Status: Needs review » Needs work
Issue tags: +D8 Accelerate 
+++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
@@ -94,7 +97,7 @@ public static function preRenderHtmlTag($element) {
+      $element['#markup'] = SafeMarkup::format('<noscript>!markup</noscript>', array('!markup' => $markup));

We can actually use @ here. ! is now more meant for plain text use-cases. As long as the variable is safe it won't be escaped similar to what happens in the twig template.

Regarding the comment. I think we could probably stop at this without explaining what a noscript tag is for:

#noscript: A flag indicating if the tag should be inserted in a
+ * element.

What do you think?

Thank you for the patch @pguillard!

umarzaffer’s picture

umarzaffer CreditAttribution: umarzaffer at Srijan | A Material+ Company commented
Status: Needs work » Needs review
FileSize
document_noscript_element-2494293-6.patch1.05 KB

Sorry, made a silly miss! Submitting the corrected one next

umarzaffer’s picture

umarzaffer CreditAttribution: umarzaffer at Srijan | A Material+ Company commented
FileSize
document_noscript_element-2494293-7.patch1.05 KB

The last submitted patch, 6: document_noscript_element-2494293-6.patch, failed testing.

RavindraSingh’s picture

RavindraSingh CreditAttribution: RavindraSingh as a volunteer and at Srijan | A Material+ Company commented
Status: Needs review » Reviewed & tested by the community

Thank you @umarzaffer for the patch.

@joelpittet, the patch #7 looks good to me.

This patch is using @ instead of !
Moving this to RTBC.

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Priority: Minor » Normal
Status: Reviewed & tested by the community » Needs work

Thanks @umarzaffer and @RavindraSingh!

  1. +++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
@@ -64,6 +64,9 @@ public function getInfo() {
+   *   - #noscript: A flag indicating if the tag should be inserted in a
+   *     <noscript> element, for users that have disabled scripts in their
+   *     browser or have a browser that doesn't support script.

    I think we can remove everything after the comma here since the tag is a part of the HTML spec. 

  2. +++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
@@ -94,7 +97,7 @@ public static function preRenderHtmlTag($element) {
-      $element['#markup'] = '<noscript>' . $markup . '</noscript>';
+      $element['#markup'] = SafeMarkup::format('<noscript>!markup</noscript>', array('!markup' => $markup));

    The scope of the issue is just to document it; this change is out of scope. Can we remove it?

lokapujya’s picture

lokapujya
Primary language English
Location Boston
CreditAttribution: lokapujya at Babson College commented
Issue summary: View changes
ashutoshsngh’s picture

ashutoshsngh CreditAttribution: ashutoshsngh at Srijan | A Material+ Company commented
Status: Needs work » Needs review
Issue tags: +SrijanSprintNight
FileSize
document_noscript_element-2494293-11.patch563 bytes
RavindraSingh’s picture

RavindraSingh CreditAttribution: RavindraSingh as a volunteer and at Srijan | A Material+ Company commented
Status: Needs review » Reviewed & tested by the community

Thank you @xjm, for giving quick feedback.

Thanks @ashutoshsngh for new patch and @lokapujya for changes summary.

The patch added in #12 looks what @xjm has suggested. So moving this to RTBC

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Component: forms system » documentation
Status: Reviewed & tested by the community » Needs work

Apologies for the slightly hurried review before; I think there are a couple more things we need to do here:

  1. It needs to have (optional) at the beginning since it's not a required key.
  2. It should specifically say "the markup" rather than "the tag" since the noscript goes around everything, including the prefix. suffix, etc.
  3. We should add a sentence for what the allowed values are. Looking at the code, it looks like any non-empty value will result in the noscript being added.

So something like:

(optional) If TRUE, the markup (including any prefix or suffix) will be wrapped in a <noscript> element. (Note that passing any non-empty value here will add the <noscript> tag.)

Sorry for not catching this the first time around. :)

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Category: Task » Bug report
Issue summary: View changes

Updating the beta evaluation. It doesn't matter here, but be sure to review what's unfrozen for other issues. (Converting code to best practices is not unfrozen.) Thanks!

umarzaffer’s picture

umarzaffer CreditAttribution: umarzaffer at Srijan | A Material+ Company commented
Status: Needs work » Needs review
FileSize
document_noscript_element-2494293-16.patch679 bytes

Thanks @xjm for reviewing and providing suggestions. Have added the documentation for #noscript as per your suggestion.

pguillard’s picture

pguillard CreditAttribution: pguillard commented
Status: Needs review » Reviewed & tested by the community

I have not taken the time to continue the work. I think it is fair to move to RTBC.

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Assigned: Unassigned » jhodgdon
Related issues: +#2068471: Normalize Controller/View-listener behavior with a Page object

Just to confirm that the docs were complete and not missing anything, I went to look for when the element was originally added. It was in #2068471: Normalize Controller/View-listener behavior with a Page object to work around something:

The real problem was that when not in maintenance mode, the #prefix/#suffix (noscript) was being ignored. This approach was hashed out between me, Crell, and msonnabaum.

he noscript tag around the meta-refresh tag is missing, which causes the page to refresh on its own out of sync with the ajax code. The problem is that the fix for that for batch API assumes the rendered code for the page runs through template_preprocess_page, but the maintenance page doesn't.

Those problems were addressed in two interdiffs in #190 and #207 of that issue. Those comments didn't make it clear to me at first why setting the noscript tags as prefix and suffix didn't work, and I was trying to decide if we should document that here...

\Drupal\Tests\Core\Render\Element\HtmlTagTest has test coverage and those tests only assert that the element does exactly what we say here. :) So this is fine I think, even if it is a weird internal-use edgecase thing.

Since I kind of wrote the comment in its current form via my review, I think I probably shouldn't commit this myself, so assigning to @jhodgdon in case she has a chance to take a look at it.

jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented
Title: Document the #noscript element » Document the #noscript property
Assigned: jhodgdon » Unassigned
Status: Reviewed & tested by the community » Fixed

Looks good to me! Committed to 8.0.x. Thanks all!

  • jhodgdon committed 5340b18 on 8.0.x 
    Issue #2494293 by umarzaffer, pguillard, ashutoshsngh, xjm,...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.