Problem/Motivation

Follow up for #2273925: Ensure #markup is XSS escaped in Renderer::doRender()

Finally, I read over the updated change records. Great work; I think they are ready for this issue. A related followup I'd like to see is further consolidating the change records into one and/or at least referencing them as "see also". (E.g., SafeMarkup::format()'s vastly improved and de-fragilified (probably not a word) use of the tokens and how they behave with the SafeMarkup list.

Proposed resolution

Do it

Remaining tasks

Everything

User interface changes

None

API changes

None

Comments

xjm’s picture

xjm
she/her
Primary language English
commented
Related issues: +#2273925: Ensure #markup is XSS escaped in Renderer::doRender()
leslieg’s picture

leslieg commented
Issue tags: +D8 Accelerate

a group of us are sprinting on this issue as part of NHDevDays2 D8 Accelerate sprint

yesct’s picture

yesct commented
Priority: Minor » Normal

I'm pretty sure https://www.drupal.org/core/issue-priority defines minor as typos. And this is more than that. So changing to normal.

xjm’s picture

xjm
she/her
Primary language English
commented

See also #2280965-20: [meta] Remove every SafeMarkup::set() call about the reordering of the recommended replacements in the CR. Or here are notes on it from our planning meeting:

Update "4 options" so that SafeMarkup::format() is first, document use-cases of the inline templates and calling the service
When to use SafeMarkup::format() vs. #type inline templates
Inline templates are alterable by modules, themes, overrides

leslieg’s picture

leslieg commented

Evaluated the following change records and updated as indicated:

1. https://www.drupal.org/node/2296163 - updated description to be clearer
2. https://www.drupal.org/node/2302363
3. https://www.drupal.org/node/2311123 - removed option 3, changed option 4 to option 2, added link to safemarkup class description located at https://www.drupal.org/node/2296163
4. https://www.drupal.org/node/2445441

https://www.drupal.org/node/2489900 is a draft change record that will possibly need to be combined once published

we will evaluate #2280965-20 again based on your recommendation

xjm’s picture

xjm
she/her
Primary language English
commented
Status: Active » Needs review

Thanks @leslieg! Marking for review.

xjm’s picture

xjm
she/her
Primary language English
commented
Issue tags: +SafeMarkup
xjm’s picture

xjm
she/her
Primary language English
commented

https://www.drupal.org/node/2311123 should be merged into the main change record in https://www.drupal.org/node/2296163, and should also mention that using render arrays is also a preferred option in contexts that support them, with #markup used as a best practice for applying XSS admin filtering.

xjm’s picture

xjm
she/her
Primary language English
commented
Assigned: Unassigned » xjm
Priority: Normal » Major
Status: Needs review » Needs work

Notes from #2554889: Remove SafeMarkup::set() from the codebase:

https://www.drupal.org/node/2311123 includes nothing about render arrays or the item list template, but leveraging render arrays was one of the ways we were able to get rid a lot of SafeMarkup::set() usage in core. Also the links in https://www.drupal.org/node/2549395 are not accessible; we should add actual link text (unlike what I did here) ;). Finally, we need a g.d.o/core post announcing this as well given the impact.

Edit: Also, we need to cover how to do things that are incompatible with Xss::filterAdmin() somewhere.

Also the SafeMarkup::format() example in https://www.drupal.org/node/2311123 arguably should be a Twig template. Anyway, I updated it with stubs for how it should be updated. I also think it should actually stop to exist as a separate thing entirely and be merged into https://www.drupal.org/node/2296163 because its title makes no sense now (I had filed an issue for this to happen several months ago but looks like it hasn't happened).

I can work on these things later if someone else doesn't get to them first.

Working on those two parts of it to start, and also on https://www.drupal.org/node/2549395.

xjm’s picture

xjm
she/her
Primary language English
commented
Parent issue: » #2549943: [plan] Remove as much of the SafeMarkup class's methods as possible
xjm’s picture

xjm
she/her
Primary language English
commented
xjm’s picture

xjm
she/her
Primary language English
commented

Lots of CRs need to be checked over for the checkPlain() deprecation as well. These should have gotten fixed before that patch went in probably, but we should definitely do so now:

https://www.drupal.org/list-changes/published/drupal?keywords_descriptio...

https://www.drupal.org/list-changes/published/drupal?keywords_descriptio...

Also see:

xjm’s picture

xjm
she/her
Primary language English
commented

https://www.drupal.org/node/2392803 might also want an update; I believe render arrays are now supported for the link generator as well.

xjm’s picture

xjm
she/her
Primary language English
commented

Updated: https://www.drupal.org/node/2457593/revisions/view/8302341/8838229

xjm’s picture

xjm
she/her
Primary language English
commented

Added: https://www.drupal.org/node/2296163/revisions/view/8837793/8838257

And I'll update all of those to reference that.

xjm’s picture

xjm
she/her
Primary language English
commented

This message is added to all the other CRs (copy-pastable for your future SafeMarkup changing fun!)

<h3>Related change records</h3>

See <a href="https://www.drupal.org/node/2296163">Twig autoescape enabled and text sanitization APIs updated</a> for a full list of related change records.

I also reduced the inline_template CR back to cover what it actually covers:
https://www.drupal.org/node/2311123/revisions/view/8828245/8838343

And began consolidating the concatenation strategies onto the main CR:
https://www.drupal.org/node/2296163/revisions/view/8838269/8838345

xjm’s picture

xjm
she/her
Primary language English
commented
Assigned: xjm » Unassigned

From #2555473-32: Deprecate SafeMarkup::checkPlain() for Drupal 8.0.x:

Alright, @alexpott, @effulgentsia, and I reworked the main change record for the method removals in SafeMarkup methods are removed. There are still a couple outstanding things that I think should be improved (copying and expanding notes from our google docs draft):

  1. If the string is used in a Twig template, rely on Twig's auto-escaping feature. Simply remove the call to SafeMarkup::checkPlain(). For example, most SafeMarkup::checkPlain() calls in template preprocess functions can be removed. Another common case is the construction of a render array that uses a Twig template. For example, data that is being themed using an item list or table does not need to be escaped as Twig will do this for you. If text that has already been escaped using Html::escape() ends up in a Twig template variable, it will be double-escaped.

    This is clearer now, but as a reader of this I still would not entirely understand "is used in a template". First of all, there are ways to use strings unsafely in a template. Do we have a Twig resource we can reference about how output ends up in templates and how it is used safely? Secondly, there are many cases where a developer is creating output that will be used in an existing template without the developer knowing anything about it. (Maybe we need a chart somewhere indicating which strings will be escaped, which strings will be filtered, and which will not be sanitized. That doesn't need to block this though.)

  2. For example, most SafeMarkup::checkPlain() calls in template preprocess functions can be removed

    We should clarify when they can't be removed. For example, if the string is XSS-filtered, this will be more permissive than escaping and bypass it because the resulting string will be safe.

  3. Another common case is the construction of a render array that uses a Twig template. For example, data that is being themed using an item list or table does not need to be escaped as Twig will do this for you.

    This example is helpful. A code snippet might make it more so. However, some render array elements, like #prefix, #suffix, #value, and #markup are not escaped (only admin filtered) so this sentence is somewhat too vague.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone commented
Status: Needs work » Fixed

I am all for improving documentation of all kinds but this is for change records for a now unsupported version of Drupal. There has been work here for 9 years as well. I suggest it would be better to focus our time on improving documentation and change records for supported versions. By this time, people are using internet searched to find support on these topics.

Although this was not 100% complete, I am going to close it as fixed to allow credit for those who worked on the change records. If you disagree with this decision, re-open and add a comment.

Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.