Problem/Motivation

FormCache::loadCachedFormState calls SafeMarkup::set() which is meant to be for internal use only.

Proposed resolution

  • If refactoring is not possible, thoroughly document where the string is coming from and why it is safe, and why SafeMarkup::set() is required.

Remaining tasks

  1. Evaluate whether the string can be refactored to one of the formats outlined in this change record: https://www.drupal.org/node/2311123
  2. Identify whether there is existing automated test coverage for the sanitization of the string. If there is, list the test in the issue summary. If there isn't, add an automated test for it.
  3. If the string cannot be refactored, the SafeMarkup::set() usage needs to be thoroughly audited and documented.

User interface changes

N/A

API changes

N/A

Files: 
CommentFileSizeAuthor
#21 document-2501823-21.patch822 bytesdavidhernandez
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 97,046 pass(es). View
#19 interdiff.txt867 bytesjoelpittet
#19 document-2501823-19.patch849 bytesjoelpittet
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 96,964 pass(es). View
#18 interdiff.txt994 bytesjoelpittet
#18 document-2501823-18.patch851 bytesjoelpittet
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 96,971 pass(es). View
#17 document-2501823-17.patch847 bytesdavidhernandez
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 96,980 pass(es). View
#12 document-2501823-12.patch814 bytespeezy
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 96,150 pass(es). View
#9 document-2501823-8.patch813 bytespeezy
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 95,655 pass(es). View

Comments

peezy’s picture

Title: Document SafeMarkup::set in FormCache::setCache » Document SafeMarkup::set in FormCache::loadCachedFormState
Issue summary: View changes
peezy’s picture

Status: Active » Needs review
FileSize
803 bytes
FAILED: [[SimpleTest]]: [PHP 5.4 MySQL] Unable to apply patch document-2501823-2.patch. Unable to apply patch. See the log in the details link for more information. View

Status: Needs review » Needs work

The last submitted patch, 2: document-2501823-2.patch, failed testing.

peezy’s picture

Status: Needs work » Needs review
FileSize
803 bytes
FAILED: [[SimpleTest]]: [PHP 5.4 MySQL] Unable to apply patch document-2501823-3.patch. Unable to apply patch. See the log in the details link for more information. View

Resubmitting patch after pulling.

Status: Needs review » Needs work

The last submitted patch, 4: document-2501823-3.patch, failed testing.

peezy’s picture

Version: 8.1.x-dev » 8.0.x-dev
Status: Needs work » Needs review
FileSize
803 bytes
FAILED: [[SimpleTest]]: [PHP 5.4 MySQL] 95,712 pass(es), 1 fail(s), and 0 exception(s). View

Corrected core version.

joelpittet’s picture

Status: Needs review » Needs work

Sorry we just need to keep these under 80 characters per line.

+++ b/core/lib/Drupal/Core/Form/FormCache.php
@@ -170,7 +170,8 @@ protected function loadCachedFormState($form_build_id, FormStateInterface $form_
+      // this request. The safety of these strings has already been determined in setCache()
+      // This insures that the strings being passed to this function have been marked as safe.

80 character limit.

The last submitted patch, 6: document-2501823-4.patch, failed testing.

peezy’s picture

FileSize
813 bytes
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 95,655 pass(es). View

Reduced length of comments to be fewer than 80 characters.

peezy’s picture

Status: Needs work » Needs review
joelpittet’s picture

+++ b/core/lib/Drupal/Core/Form/FormCache.php
@@ -170,7 +170,9 @@ protected function loadCachedFormState($form_build_id, FormStateInterface $form_
+      //function have been marked as safe.

space pleezy

peezy’s picture

FileSize
814 bytes
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 96,150 pass(es). View

Sorry, it was obviously a late night.

joelpittet’s picture

Status: Needs review » Reviewed & tested by the community

Merci bien! That works.

catch’s picture

Status: Reviewed & tested by the community » Needs work
+++ b/core/lib/Drupal/Core/Form/FormCache.php
@@ -170,7 +170,9 @@ protected function loadCachedFormState($form_build_id, FormStateInterface $form_
+      // in setCache(). This insures that the strings being passed to this

Sorry nitpick but this should be 'ensures'

Cottser’s picture

I'm wondering do we even need this sentence? Seems a tiny bit redundant the way I'm reading it.

+++ b/core/lib/Drupal/Core/Form/FormCache.php
@@ -170,7 +170,9 @@ protected function loadCachedFormState($form_build_id, FormStateInterface $form_
+      // in setCache(). This insures that the strings being passed to this
+      // function have been marked as safe.
joelpittet’s picture

I thought there was $5M liability on this method, insures it correct to me:P

davidhernandez’s picture

Status: Needs work » Needs review
FileSize
847 bytes
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 96,980 pass(es). View

Removed the redundant sentence and clarified the first one.

joelpittet’s picture

FileSize
851 bytes
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 96,971 pass(es). View
994 bytes

Thanks @davidhernandez. Just adding some pluralized pronouns and doc standards for methods in comments. AFAIK.

joelpittet’s picture

FileSize
849 bytes
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 96,964 pass(es). View
867 bytes

Scratch the first thing, it's 'the list' not 'the safe strings'.

cilefen’s picture

+++ b/core/lib/Drupal/Core/Form/FormCache.php
@@ -169,8 +169,9 @@ protected function loadCachedFormState($form_build_id, FormStateInterface $form_
+      // Retrieve the previously known list of safe strings and store it for
+      // this request. The safety of these strings has already been determined
+      // in ::setCache().

Just semantically, I would go with "Retrieve the safe strings and store them for this request. ..." if that conveys the proper meaning. Does it matter that they were "previously known"?

davidhernandez’s picture

FileSize
822 bytes
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 97,046 pass(es). View

Simplified the sentence. Lets not bikeshed it.

Cottser’s picture

Status: Needs review » Reviewed & tested by the community

I'm not sure if the ::setStrings() thing is going to mesh with api.d.o, but this looks good to me now. Small patch but it points to where the safeness of the strings has been determined.

Edit: And not sure it matters since it's an inline comment?

joelpittet’s picture

Orange... I mean rtbc

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 21: document-2501823-21.patch, failed testing.

Status: Needs work » Needs review

Status: Needs review » Needs work

The last submitted patch, 21: document-2501823-21.patch, failed testing.

Status: Needs work » Needs review

Status: Needs review » Needs work

The last submitted patch, 21: document-2501823-21.patch, failed testing.

Cottser’s picture

Status: Needs work » Reviewed & tested by the community

  • xjm committed 1341984 on 8.0.x
    Issue #2501823 by peezy, joelpittet, davidhernandez: Document SafeMarkup...
xjm’s picture

Status: Reviewed & tested by the community » Fixed

Thanks everyone! As with #2501447: Document SafeMarkup::setMultiple in _batch_page(), we're not going to be able to get around this usage right now, and we do have the existing @todo for the memory implications. So, committed and pushed to 8.0.x.

Re: the ::setCache() bit, api.d.o will indeed not parse it, but I think we said it's okay to use such shorthands in paragraphs of text on the same class. So I think that's okay.

tim.plunkett’s picture

Component: theme system » forms system

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.