Problem/Motivation
Twig's |raw
filter is a pathway to XSS bugs. Core's only usage of it is in time.html.twig. But since we have autoescaping, it's completely unnecessary.
Proposed resolution
Remove the 'html' property from the 'time' theme functionRemove |raw from the time.html.twig template and html flag and it's docblocks.Remove any 'html' variable reference indication from preprocess.
Remaining tasks
n/a
User interface changes
n/a
API changes
n/a
Beta phase evaluation
Issue category | Task because it's cleaning up leftover from D7 conversion |
---|---|
Issue priority | Major because it's a security issue |
Unfrozen changes | Unfrozen because it only changes markup and strings |
Prioritized changes | The main goal of this issue is security |
Comment | File | Size | Author |
---|---|---|---|
#9 | interdiff.txt | 1.91 KB | joelpittet |
#9 | remove_html_option-2500747-9.patch | 5.2 KB | joelpittet |
time.autoescape.patch | 3.95 KB | effulgentsia | |
Comments
Comment #1
effulgentsia CreditAttribution: effulgentsia at Acquia commentedComment #2
joelpittetCompletely agree. Thank you for removing this vestige:)
Updated IS and added beta eval. Bumped to major as it's security related.
Comment #3
joelpittetComment #4
joelpittetComment #5
joelpittetComment #6
xjmI think there are docs that need an update in
core/themes/classy/templates/field/time.html.twig
?Comment #7
xjmErr. Disregard that. I failed to actually apply the patch before checking.
Comment #8
xjmOh no, I was right. This bit:
So let's remove that reference too. :)
Comment #9
joelpittetRemoved two comment leftover references to HTML flag on time.html.twig, back to RTBC.
Comment #10
star-szr+1, changes look good.
Comment #11
xjmThanks for the quick update!
This issue only changes markup and docs, so per https://www.drupal.org/core/beta-changes, this can be completed any time during the Drupal 8 beta phase. It's also prioritized as a security hardening. Committed and pushed to 8.0.x.