CommentFileSizeAuthor
#4 fix_double_escaping_of-2531652-3.patch2.06 KBcilefen

Comments

hass’s picture

Not sure if this is safe:

use Drupal\Component\Utility\SafeMarkup;

    $form['tracking']['domain_tracking']['google_analytics_domain_mode'] = [
      '#type' => 'radios',
      '#title' => t('What are you tracking?'),
      '#options' => [
        0 => SafeMarkup::set(t('A single domain (default)') . '<div class="description">' . t('Domain: @domain', ['@domain' => $_SERVER['HTTP_HOST']]) . '</div>'),
        1 => SafeMarkup::set(t('One domain with multiple subdomains') . '<div class="description">' . t('Examples: @domains', ['@domains' => implode(', ', $multiple_sub_domains)]) . '</div>'),
        2 => SafeMarkup::set(t('Multiple top-level domains') . '<div class="description">' . t('Examples: @domains', ['@domains' => implode(', ', $multiple_toplevel_domains)]) . '</div>'),
      ],
      '#default_value' => $config->get('domain_mode'),
    ];

hass’s picture

Looks not better:

    $form['tracking']['domain_tracking']['google_analytics_domain_mode'] = [
      '#type' => 'radios',
      '#title' => t('What are you tracking?'),
      '#options' => [
        0 => SafeMarkup::format(t('A single domain (default)') . '<div class="description">' . t('Domain: @domain', ['@domain' => $_SERVER['HTTP_HOST']]) . '</div>'),
        1 => SafeMarkup::format(t('One domain with multiple subdomains') . '<div class="description">' . t('Examples: @domains', ['@domains' => implode(', ', $multiple_sub_domains)]) . '</div>'),
        2 => SafeMarkup::format(t('Multiple top-level domains') . '<div class="description">' . t('Examples: @domains', ['@domains' => implode(', ', $multiple_toplevel_domains)]) . '</div>'),
      ],
      '#default_value' => $config->get('domain_mode'),
    ];

cilefen’s picture

Status: Active » Needs review
StatusFileSize
new2.06 KB

SafeMarkup::set() is for internal use only.

cilefen’s picture

None of this is user-entered in this form section so there is little to worry about.

hass’s picture

Status: Needs review » Fixed

Translatable strings could be user entered on l.d.o :-)

  • hass committed 22a8ac3 on 8.x-2.x authored by cilefen
    Issue #2531652 by cilefen: Fix double escaping of domain_mode radios
    
cilefen’s picture

@hass Ah, yes. This is true.

cilefen’s picture

Now I am less sure of myself. I think that in SafeMarkup::format() we may need to use replacement tokens to be safe.

hass’s picture

hass’s picture

cilefen’s picture

Nice! I didn't know about that option #description either.

hass’s picture

Me too...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.