Follow up from #2492839-116: Views replacement token bc layer allows for Twig template injection via arguments. Anytime you see the same code three times, it needs to be abstracted!

+++ b/core/modules/views/src/Plugin/views/PluginBase.php
@@ -357,34 +353,44 @@ protected function viewsTokenReplace($text, $tokens) {
         assert('preg_match(\'/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$/\', $token) === 1', 'Tokens need to be valid Twig variables.');
...
+        assert('preg_match(\'/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$/\', $top) === 1', 'Tokens need to be valid Twig variables.');
...
+          assert('preg_match(\'/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$/\', $key) === 1', 'Tokens need to be valid Twig variables.');

We should either provide this regex as a constant or provide a Twig::isValidVariable() function.

Comments

mikeker created an issue. See original summary.

joelpittet’s picture

Title: [Follow-up] Create a Twig regex constant or function that validates a Twig variable » Create a Twig regex constant or function that validates a Twig variable
Issue tags: +rc eligible

This seems like improve testing.

mikeker’s picture

Status: Active » Needs review
FileSize
3.14 KB

How about this as a starting point?

mikeker’s picture

mikeker’s picture

Sorry, meant to say in the previous comment:

Adds a few more tests and cleans up the incorrect naming of an existing test (the "...WithTokens" test was testing replacement without tokens).

joelpittet’s picture

Status: Needs review » Needs work

@mikeker thanks for pushing this along. Here's a review:

  1. +++ b/core/lib/Drupal/Component/Utility/Twig.php
    @@ -0,0 +1,43 @@
    +   * @param  string $variable
    

    nit: extra space between @param and string.

  2. +++ b/core/lib/Drupal/Component/Utility/Twig.php
    @@ -0,0 +1,43 @@
    +    return preg_match('/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$/', $variable) === 1;
    ...
    +    if (empty($message)) {
    +      $message = '"' . Html::escape($variable) . '" is not a valid Twig variable.';
    +    }
    +    assert(Twig::isValidVariable($variable), $message);
    

    Before the preg match was happening in a string in the assert. We discussed in another issue about performance and asserts are not called unless in dev and turned on. But this setup will call preg_match() and empty() and Html::escape(). Which will all have a negative performance impact. Can we get away without this?

  3. +++ b/core/lib/Drupal/Component/Utility/Twig.php
    @@ -0,0 +1,43 @@
    +   * Asserts if the specified string is not a valid Twig variable
    +
    +   * @param  string $variable
    

    nit: Missing a * on the next line and a period. Extra space between @param and string.

snehi’s picture

Status: Needs work » Needs review
FileSize
5.61 KB
680 bytes

As mentioned in #6.
1. Fixed
2. Don't know which part to remove only preg_match or all the functions.
3. Fixed.

mikeker’s picture

@joelpittet, Thanks for the review! From #6:

Before the preg match was happening in a string in the assert. We discussed in another issue about performance and asserts are not called unless in dev and turned on. But this setup will call preg_match() and empty() and Html::escape(). Which will all have a negative performance impact. Can we get away without this?

Good point. If assert() is passed a string, then it's not eval'ed if assertions are turned off. That will save us the preg_match() call in production. However, I don't think there is a way to avoid Html::escape() unless we know that the token keys are safe (I don't believe they are) or that assert messages are escaped before being displayed (I have no idea...). I suppose we could check ASSERT_ACTIVE?

+++ b/core/modules/views/src/Tests/Plugin/PluginBaseTest.php
@@ -44,13 +44,59 @@ public function testViewsTokenReplace() {
+    try {
+      $text = '{{ foo-bar }}';
+      $tokens = [
+        '{{ foo-bar }}' => 'bogus',
+      ];
+
+      \Drupal::service('renderer')->executeInRenderContext(new RenderContext(), function () use ($text, $tokens) {
+        return $this->testPluginBase->viewsTokenReplace($text, $tokens);
+      });
+    }
+    catch(\Exception $e) {
+      $this->assertIdentical('"foo-bar" is not a valid Twig variable.', $e->getMessage());
+    }

Added a $this->fail() at the end of the try block. Otherwise the test never fails and that's not a very good test... :)

mikeker’s picture

Also, this issue should always be tested against both PHP 5.5 and PHP 7 as the assert function changes substantially between the two versions.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

fomenkoandrey’s picture

PHP7
drupal 8.1.3

Warning: assert(): Tokens need to be valid Twig variables.: "preg_match('/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$/', $key) === 1" failed в Drupal\views\Plugin\views\PluginBase->viewsTokenReplace() (строка 376 файла /home/skitours/public_html/core/modules/views/src/Plugin/views/PluginBase.php).

mikeker’s picture

@fomenkoandrey: Can you provide some more details about the view causing the assert. Specifically any tokens used in field rewrites.

Thanks.

fomenkoandrey’s picture

view: http://savepic.net/8212030.png

Field of date, when node was changed.
override output: {{ changed }}, {{ uid }}
http://savepic.net/8192574.png

Field body, cropped to 600 characters, then overriden to 300 and with link with token {{ path }}
http://savepic.net/8209982.png
http://savepic.net/8216126.png
http://savepic.net/8213054.png

3 filter:
author not admin http://savepic.net/8202814.png
changed <720 hours http://savepic.net/8203838.png
author - opened for users http://savepic.net/8207934.png

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.