Remove SafeMarkup::set in FieldPluginBase::advancedRender()

Follow-up to #2501639: Remove SafeMarkup::set in drupal_check_module()

Problem/Motivation

FieldPluginBase:advancedRender calls SafeMarkup::set() which is meant to be for internal use only.

Proposed resolution

Remove the call by refactoring the code.
~~If refactoring is not possible, thoroughly document where the string is coming from and why it is safe, and why SafeMarkup::set() is required.~~

Remaining tasks

Evaluate whether the string can be refactored to one of the formats outlined in this change record: https://www.drupal.org/node/2311123
Identify whether there is existing automated test coverage for the sanitization of the string. If there is, list the test in the issue summary. If there isn't, add an automated test for it.
If the string cannot be refactored, the SafeMarkup::set() usage needs to be thoroughly audited and documented.

Manual testing steps (for XSS and double escaping)

Do these steps both with HEAD and with the patch applied:

Clean install of Drupal 8.
Compare the output above in HEAD and with the patch applied. Confirm that there is no double-escaping.
If there is any user or calling code input in the string, submit
alert('XSS');
and ensure that it is sanitized.

User interface changes

N/A

API changes

N/A

Comments

Comment #1

kgoel CreditAttribution: kgoel at Forum One commented 13 June 2015 at 16:07

Status:

Needs work

» Active

Log in or register to post comments

Comment #2

kgoel CreditAttribution: kgoel at Forum One commented 13 June 2015 at 18:59

Issue tags:

Log in or register to post comments

Comment #3

kgoel CreditAttribution: kgoel at Forum One commented 13 June 2015 at 19:04

Related issues:

+#2280961: (Views)FieldPluginBase::advancedRender() calls SafeMarkup::set() on a string that it doesn't know to be safe

Closed https://www.drupal.org/node/2280961 as duplicate, this issue addresses the remaining SafeMarkup::set in FieldPluginBase.php

Log in or register to post comments

chx’s picture

Comment #4

chx CreditAttribution: chx commented 12 July 2015 at 00:52

Issue summary:

Log in or register to post comments

chx’s picture

Comment #5

chx CreditAttribution: chx commented 12 July 2015 at 00:53

Title:

Remove SafeMarkup::set in buildOptionsForm() and advancedRender()

» Remove SafeMarkup::set in FieldPluginBase::advancedRender()

Log in or register to post comments

RavindraSingh’s picture

Comment #6

RavindraSingh CreditAttribution: RavindraSingh as a volunteer and at Srijan | A Material+ Company commented 1 August 2015 at 17:58

Issue can be closed as it has been mentioned as a duplicate of #2501931: Remove SafeMarkup::set in twig_render_template() and ThemeManager and FieldPluginBase:advancedRender

Log in or register to post comments

Comment #7

alimac CreditAttribution: alimac at University of Illinois at Chicago commented 2 August 2015 at 14:39

Status:	Active	» Closed (duplicate)
Related issues:		+#2505679: Remove SafeMarkup::set in FieldPluginBase::advancedRender()

Log in or register to post comments

Comment #8

alimac CreditAttribution: alimac at University of Illinois at Chicago commented 2 August 2015 at 14:40

Related issues:

-#2505679: Remove SafeMarkup::set in FieldPluginBase::advancedRender()

+#2501931: Remove SafeMarkup::set in twig_render_template() and ThemeManager and FieldPluginBase:advancedRender

Log in or register to post comments