Improve FormattableMarkup documentation [#2580505]

Problem/Motivation

Follow-up to #2570431: Document that certain (non-"href") attribute values in t() and SafeMarkup::format() are not supported and may be insecure

FormattableMarkup warning about use in "<" and ">" of an HTML tag talks about placeholder, use in placeholder string is documented in PlaceholderTrait

Proposed resolution

Make the warning about use of the object (the string value in the object).

Remaining tasks

Contributor tasks needed
Task	Novice task?	Contributor instructions	Complete?
Create a patch		Instructions
Review patch to ensure that it fixes the issue, stays within scope, is properly documented, and follows coding standards		Instructions

User interface changes

API changes

Data model changes

Comment	File	Size	Author
#52	2580505-52.patch	8.18 KB	smustgrave
#52	10.1.x: PHP 8.1 & MySQL 5.7 28,482 pass
#52	interdiff-44-52.txt	2.14 KB	smustgrave
#44	2580505-44.patch	8.12 KB	Abhijith S
#44	9.2.x: PHP 7.3 & MySQL 5.7 28,222 pass 10.1.x: PHP 8.1 & MySQL 5.7 28,482 pass
#42	interdiff_39-42.txt	1.37 KB	nikitagupta
#42	2580505-42.patch	8.11 KB	nikitagupta
#42	9.1.x: PHP 7.4 & MySQL 5.7 27,464 pass
#40	2580505-39.patch	8.11 KB	nikitagupta
#40	9.1.x: PHP 7.4 & MySQL 5.7 27,350 pass
#39	2580505-39.patch	8.11 KB	nikitagupta
#39	9.1.x: PHP 7.4 & MySQL 5.7 Patch Failed to Apply
#26	2580505-25.patch	8.31 KB	krknth
#26	8.0.x: PHP 5.5 & MySQL 5.5 14,244 pass
#24	interdiff-24.txt	1.77 KB	kgoel
#24	2580505-24.patch	8.31 KB	kgoel
#24	8.0.x: PHP 5.5 & MySQL 5.5 14,244 pass
#20	interdiff-20.txt	2.23 KB	kgoel
#20	2580505-20.patch	8.28 KB	kgoel
#20	8.0.x: PHP 5.5 & MySQL 5.5 14,244 pass
#17	2580505.18.patch	8.31 KB	YesCT
#17	8.0.x: PHP 5.5 & MySQL 5.5 14,218 pass
#17	interdiff.2580505.15.18.txt	1.16 KB	YesCT
#15	interdiff.2580505.14.15.txt	785 bytes	YesCT
#15	2580505.15.patch	8.29 KB	YesCT
#15	8.0.x: PHP 5.5 & MySQL 5.5 14,218 pass
#14	interdiff.2580505.13.14.txt	1.52 KB	YesCT
#14	2580505.14.patch	8.46 KB	YesCT
#14	8.0.x: PHP 5.5 & MySQL 5.5 14,218 pass
#13	interdiff.2580505.7.13.txt	2.43 KB	YesCT
#13	2580505.13.patch	8.56 KB	YesCT
#13	8.0.x: PHP 5.5 & MySQL 5.5 14,218 pass
#8	2580505.7.patch	8.81 KB	YesCT
#8	8.0.x: PHP 5.5 & MySQL 5.5 14,176 pass
#7	interdiff.2580505.6.7.txt	755 bytes	YesCT
#7	2580505.7.patch	755 bytes	YesCT
#7	8.0.x: PHP 5.5 & MySQL 5.5 14,176 pass
#6	interdiff.2580505.5.6.txt	1.12 KB	YesCT
#6	2580505-6.patch	8.34 KB	YesCT
#6	8.0.x: PHP 5.5 & MySQL 5.5 14,176 pass
#4	2580505-4.patch	8.34 KB	YesCT
#4	8.0.x: PHP 5.5 & MySQL 5.5 14,176 pass
#3	2580505-3.patch	2.73 KB	YesCT
#3	10.1.x: PHP 8.1 & MySQL 5.7 28,482 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

5 October 2015 at 16:49

YesCT created an issue. See original summary.

Comment #2

YesCT CreditAttribution: YesCT commented 5 October 2015 at 16:58

Title:	FormattableMarkup warning about use in "<" and ">" of an HTML tag should be about object, use in placeholder string is documented in PlaceholderTrait	» FormattableMarkup warning in class description about use in "<" and ">" of an HTML tag should be about object, use in placeholder string is documented on placeholderFormat()
Related issues:		+#2577785: Remove PlaceholderTrait

#2577785: Remove PlaceholderTrait changed things.

Comment #3

YesCT CreditAttribution: YesCT commented 5 October 2015 at 16:59

File	Size
2580505-3.patch	2.73 KB
10.1.x: PHP 8.1 & MySQL 5.7 28,482 pass

Comment #4

YesCT CreditAttribution: YesCT commented 5 October 2015 at 17:18

Title:	FormattableMarkup warning in class description about use in "<" and ">" of an HTML tag should be about object, use in placeholder string is documented on placeholderFormat()	» Improve FormattableMarkup documentation
Status:	Active	» Needs review

File	Size
2580505-4.patch	8.34 KB
8.0.x: PHP 5.5 & MySQL 5.5 14,176 pass

@xjm in #2577785-35: Remove PlaceholderTrait asked for some followups. I think can use this, since the placeholdertrait changes I was going to make are now in FormattableMarkup also.

Comment #5

YesCT CreditAttribution: YesCT commented 5 October 2015 at 17:24

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -32,30 +32,9 @@
- *   Only the "href" attribute is supported via the special ":variable"
- *   placeholder, to allow simple links to be inserted:

@@ -179,6 +169,28 @@ public function jsonSerialize() {
+   *   In $string, only HTML attributes that take a URL as the value, are
+   *   supported via the special ":variable" placeholder. For example, with the
+   *   "href" attribute, the ":variable" placeholder allows simple links to be

not really true, also url for img src.

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -83,7 +62,7 @@ class FormattableMarkup implements MarkupInterface {
-   *   additional information about placeholders.
+   *   additional information about correct and secure use of placeholders.

added words about security to motivate people that they actually *do* want to go read it.

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,39 +113,50 @@ public function jsonSerialize() {
-   *   - @variable: When the placeholder replacement value is:
+   *   - @variable: Use as the default choice for anything displayed on the

made the beginning of each @ % : section use parallel wording, an tell people when they should use it (and not use it) at the beginning.

Comment #6

YesCT CreditAttribution: YesCT commented 5 October 2015 at 17:26

File	Size
2580505-6.patch	8.34 KB
8.0.x: PHP 5.5 & MySQL 5.5 14,176 pass
interdiff.2580505.5.6.txt	1.12 KB

made consistant use of " or ' in the placeholderFormat calls.

Comment #7

YesCT CreditAttribution: YesCT commented 5 October 2015 at 17:55

File	Size
2580505.7.patch	755 bytes
8.0.x: PHP 5.5 & MySQL 5.5 14,176 pass
interdiff.2580505.6.7.txt	755 bytes

adding a reference for looking up which HTML attributes can take a URL value

to clarify:

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,39 +113,50 @@ public function jsonSerialize() {
+   *   - :variable: Use when the return value is to be used as a URL value of an
+   *     HTML attribute, for example the href attribute in an a tag.

File	Size
2580505.7.patch	8.81 KB
8.0.x: PHP 5.5 & MySQL 5.5 14,176 pass

Comment #9

stefan.r CreditAttribution: stefan.r commented 5 October 2015 at 18:02

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,39 +113,50 @@ public function jsonSerialize() {
+   *   - %variable: Use when @variable would be appropriate, but the placeholder
+   *     value will also be wrapped in <em> tags with a class. As with

The grammar here sounds a bit funny

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,39 +113,50 @@ public function jsonSerialize() {
+   *     @variable, do not use within the "<" and ">" of an HTML tag, such as in
+   *     HTML attribute values. Doing so is a security risk.
...
-   *     As with @variable, do not use this within HTML attributes, JavaScript,
-   *     or CSS. Doing so is a security risk.

Is there a reason we are moving this?

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,39 +113,50 @@ public function jsonSerialize() {
-   *       $string = "%output_text";
-   *       $arguments = ['output_text' => 'text output here.'];
-   *       $this->placeholderFormat($string, $arguments);
+   *       $this->placeholderFormat('Prefix %output_text', ['%output_text' => 'text output.']);

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,39 +113,50 @@ public function jsonSerialize() {
-   *   - :variable: Return value is escaped with
+   *   - :variable: Use when the return value is to be used as a URL value of an
+   *     HTML attribute, for example the href attribute in an a tag.
+   *     Return value is escaped with
...
-   *     using the "href" attribute, ensuring the attribute value is always
-   *     wrapped in quotes:
+   *     using the "href" attribute, ensuring the value is always wrapped in
+   *     quotes.

This change may not be needed, in the parent issue it was decided to only support the "href" attribute?

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -179,6 +169,28 @@ public function jsonSerialize() {
+   *     @todo Add some advice and stronger warnings.
+   *       https://www.drupal.org/node/2569041
+   *

Just to be clear, what is this about and how is this related?

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -179,6 +169,28 @@ public function jsonSerialize() {
+   *   In $string, only HTML attributes that take a URL as the value, are
+   *   supported via the special ":variable" placeholder. For example, with the
+   *   "href" attribute, the ":variable" placeholder allows simple links to be
+   *   inserted:

This change may not be needed, in the parent issue it was decided to only support the "href" attribute?

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -179,6 +169,28 @@ public function jsonSerialize() {
+   *     - Secure: @code <a href=":variable">link text</a> @endcode
+   *     - Secure: @code <a href=":variable" title="static text">link text</a> @endcode
+   *     - Secure: @code <a href=":variable">@variable</a> @endcode

+1 to less of the $this->placeholderFormat noise. Should we keep the explanations that were removed in the first hunk of the patch?

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -179,6 +169,28 @@ public function jsonSerialize() {
+   *       - Insecure: @code <img src=:variable />@endcode

This change may not be needed, in the parent issue it was decided to only support the "href" attribute?

Comment #10

YesCT CreditAttribution: YesCT commented 6 October 2015 at 02:01

I missed the part where we decided to only support href. Is there a particular comment I can look at?

Comment #11

stefan.r CreditAttribution: stefan.r commented 6 October 2015 at 06:50

Comments #42 and #50 in the parent. Other attributes than href are untested, and the docs state to only use formattablemarkup for simple markup. Core has no use case for any other attributes, and contrib can be added as people ask for it.

Comment #12

jhodgdon

she/her

English

CreditAttribution: jhodgdon commented 7 October 2015 at 17:12

Component:

base system

» documentation

moving to docs component, right?

Comment #13

YesCT CreditAttribution: YesCT commented 14 October 2015 at 15:52

File	Size
2580505.13.patch	8.56 KB
8.0.x: PHP 5.5 & MySQL 5.5 14,218 pass
interdiff.2580505.7.13.txt	2.43 KB

I think this puts back the clarification that only href is supported.

Comment #14

YesCT CreditAttribution: YesCT commented 14 October 2015 at 15:55

File	Size
2580505.14.patch	8.46 KB
8.0.x: PHP 5.5 & MySQL 5.5 14,218 pass
interdiff.2580505.13.14.txt	1.52 KB

changing unsupported to be more strongly worded as insecure.

Comment #15

YesCT CreditAttribution: YesCT commented 14 October 2015 at 16:00

File	Size
2580505.15.patch	8.29 KB
8.0.x: PHP 5.5 & MySQL 5.5 14,218 pass
interdiff.2580505.14.15.txt	785 bytes

#9 5. yeah, I think it was asked for in the parent issue, but also handled there. and the linked issue has the related issue on it, so just taking that out.

[edit: need to respond to #9 1. and 2.]

Comment #16

jhodgdon

she/her

English

CreditAttribution: jhodgdon commented 14 October 2015 at 18:52

Status:

Needs review

» Needs work

I think maybe this isn't done, but I took a look through the docs as they are and have some comments. This is confusing stuff.

Overall: I think we should say something, somewhere (not sure where), about the general strategy for all these new formatting objects. Which I think is: when you are formatting some text, you need to always use the proper objects and placeholders to format anything that comes from the database (which is usually unsanitized) or user input (definitely unsanitized). If you do so, everything should be escaped exactly once, not zero times (security risk) or multiple times (ugly).

This text doesn't quite get that across to me. Some detailed notes follow, but that is the general gist.

```
+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -32,30 +32,9 @@
- * - Variable placeholders should not be used within the "<" and ">" of an
...
+ * - The result of casting this object to a string should not be used within the
```
This is totally changing the meaning of this section of docs. Is that right?

Because before it was basically saying:

Within the string you are formatting with placeholders, don't use placeholders in the part that is between < and > in an HTML tag.

And now it says something totally different:

Don't use the output of formatting this entire thing between < and > of an HTML tag.

I don't think that is the right change to make?

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,39 +113,50 @@ public function jsonSerialize() {
+   *   - @variable: Use as the default choice for anything displayed on the
+   *     site. Do not use within the "<" and ">" of an HTML tag, such as in HTML
+   *     attribute values. Doing so is a security risk.

I don't get it. Why is this a security risk? It is supposedly sanitized -- just below it says it is sanitized. So why is this a security risk? The security risk would only happen if you also used the wrong object to sanitize that placeholder.

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,39 +113,50 @@ public function jsonSerialize() {
+   *     - A MarkupInterface object, the object will be cast to a string and not
+   *       sanitized.

Yes, but that is presumably because the MarkupInterface object has previously been properly sanitized. If it was the right object and right placeholders to begin with, you should be OK?

```
+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,39 +113,50 @@ public function jsonSerialize() {
+   *       To force sanitization of a MarkupInterface object, cast the
+   *       replacement value to a string, since it is not known what strategy a
+   *       MarkupInterface object uses for sanitization.
```
But... The point is that you don't want to double-escape tags. If you use the right type of string formatting/sanitizing class, you should be OK right?

Also I had to read this at least twice to understand it. Can it say something like:

... instead of passing a MarkupInterface object directly as the placeholder replacement value, cast it to a string first.

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,39 +113,50 @@ public function jsonSerialize() {
+   *   - %variable: Use when @variable would be appropriate, but the placeholder
+   *     value will also be wrapped in <em> tags with a class. As with

how about "... but you want the placeholder value to be wrapped in em tags..." or something like that? Confusing as it is.

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -180,6 +170,28 @@ public function jsonSerialize() {
+   *     - The : placeholder should be used for HTML attribute values, but is
+   *       insecure not to have quotes around the attribute value:

I thought it said above that it's only for href attributes, not for all attributes?

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -180,6 +170,28 @@ public function jsonSerialize() {
+   *     - Only the "href" attribute is supported. So, even other attributes
+   *       which take a URL value are unsupported:
+   *       - Insecure: @code <img src=":variable" />@endcode

ok so this contradicts it. Better not to have contradictory text in the docs.

Comment #17

YesCT CreditAttribution: YesCT commented 14 October 2015 at 19:04

Status:

Needs work

» Needs review

File	Size
interdiff.2580505.15.18.txt	1.16 KB
2580505.18.patch	8.31 KB
8.0.x: PHP 5.5 & MySQL 5.5 14,218 pass

not yet addressing #16.

#9 2.
yes. put the warning right up front so people know.

#9 1. awkward wording...
addressing that now.

Comment #18

YesCT CreditAttribution: YesCT commented 14 October 2015 at 19:05

Status:

Needs review

» Needs work

needs work for #16.

Comment #19

kgoel CreditAttribution: kgoel at Forum One commented 21 October 2015 at 20:14

I am working on this.

Comment #20

kgoel CreditAttribution: kgoel at Forum One commented 21 October 2015 at 22:29

Status:

Needs work

» Needs review

File	Size
2580505-20.patch	8.28 KB
8.0.x: PHP 5.5 & MySQL 5.5 14,244 pass
interdiff-20.txt	2.23 KB

Addressed https://www.drupal.org/node/2580505#comment-10451213 5, 6 and 7 in this patch.

Comment #21

jhodgdon

she/her

English

CreditAttribution: jhodgdon commented 21 October 2015 at 21:51

I still don't know about this patch.

a) It cuts out a huge amount of documentation. Is this somewhere else? If so we should at least point there.

b) It makes a statement about security that I still do not understand.

Comment #22

YesCT CreditAttribution: YesCT commented 21 October 2015 at 22:35

#21

a. No, it does not cut a huge amount of documentation, it moves it to better locations.

b. yes. that could have been stated in comment #20 when the patch was posted. we are only partially through addressing your earlier feedback.

#16

I agree, adding some clarity (see the section "overall" in #16) is a good idea.

This is totally changing the meaning of this section of docs. Is that right?

Kind of. That information is still there, but is moved to the @param where it is relevant.

The section then on the *class* doc block *is* changed, to be about what to do with the class object (not about how to use a param on a method of the class).

Which I think is an improvement.

2. 3. and 4. need some more thought. I would like to get @pwolanin's input there.
And maybe add some more detail to the insecure examples to make what the risks are more clear. (right now the examples just say what not to do, they do not say what would happen if it were done insecurely.)

Comment #23

YesCT CreditAttribution: YesCT commented 21 October 2015 at 22:41

looking at the interdiff in #20

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -138,10 +138,10 @@ public function jsonSerialize() {
-   *   - %variable: Use when @variable would be appropriate, but the placeholder
-   *     value will also be wrappped in a placeholder class and wrapped in <em>
-   *     tags. As with @variable, do not use within the "<" and ">" of an HTML
-   *     tag, such as in HTML attribute values. Doing so is a security risk.
+   *   - %variable: Use when @variable would be appropriate, but you want the
+   *     placeholder value to be wrapped in em tags. As with @variable, do not
+   *     use within the "<" and ">" of an HTML tag, such as in HTML attribute
+   *     values. Doing so is a security risk.

lost the information about the placeholder class.

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -185,11 +185,11 @@ public function jsonSerialize() {
+   *     - The : placeholder should be used for HTML "href" attribute values,
+   *       but is insecure not to have quotes around the attribute value:

"but is" should probably be "but it is"

Comment #24

kgoel CreditAttribution: kgoel at Forum One commented 21 October 2015 at 22:52

File	Size
2580505-24.patch	8.31 KB
8.0.x: PHP 5.5 & MySQL 5.5 14,244 pass
interdiff-24.txt	1.77 KB

Addressed #23 1 and 2.

Comment #25

pwolanin CreditAttribution: pwolanin as a volunteer commented 22 October 2015 at 01:34

re #16

2) I'm not sure an attribute value is an example that's easy to see why it's dangerous. But, let's assume an href. I can supply a value like this which is fully escaped but still allows me to execute arbitrary javascript when the link is clicked:

<a href="javascript:eval(String.fromCharCode(97,108,101,114,116,40,34,35,34,41));">click me</a>

If we assume tag name, or an attribute name, they are even more trivial to exploit. This is why we have the special ":" placeholder for URLs to strip dangerous protocols in URL attribute values.

3) This is basically the replacement for the ! placeholder in D7 - we want some markup to pass through. This should have some more warnings perhaps.

4) I guess there are cases where double escaping is better than no escaping, or the markup object maybe have safe HTML but we need plain text.

Comment #26

krknth CreditAttribution: krknth as a volunteer and commented 22 October 2015 at 06:27

File	Size
2580505-25.patch	8.31 KB
8.0.x: PHP 5.5 & MySQL 5.5 14,244 pass

#24
minor changes in patch about exceeding 80 characters.

not added any interdiff file.

Comment #27

stefan.r CreditAttribution: stefan.r commented 22 October 2015 at 08:35

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,39 +113,50 @@ public function jsonSerialize() {
+   *     - A MarkupInterface object, the object will be cast to a string and
+   *       not sanitized.
...
+   *       To force sanitization of a MarkupInterface object, cast the
+   *       replacement value to a string, since it is not known what strategy a
+   *       MarkupInterface object uses for sanitization.

This wording here still seems a bit confusing

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,39 +113,50 @@ public function jsonSerialize() {
-   *   - %variable: Use when the replacement value is to be wrapped in <em>
-   *     tags.
...
+   *     placeholder value to be wrapped in an em tag with a placeholder class.

We're changing wrapped in <em> tags to wrapped in an em tag with a placeholder class, but isn't the previous wording clearer?

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,39 +113,50 @@ public function jsonSerialize() {
+   *   - :variable: Use when the return value is to be used as a URL value of
+   *     an HTML attribute. Only the "href" attribute is supported.

Use when the placeholder value is to be used as the value of a "href" attribute.

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,39 +113,50 @@ public function jsonSerialize() {
    *     protocols using UrlHelper::stripDangerousProtocols(). Use this when
...
+   *     using the "href" attribute, ensuring the value is always wrapped in

The bit about the href attribute is repeated here.

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -180,6 +170,28 @@ public function jsonSerialize() {
+   *   In $string, only the "href" HTML attribute, which takes a URL as the

Not just in $string, maybe this could be more forceful about us not supporting any HTML attribute anywhere through any placeholder (just href).

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -180,6 +170,28 @@ public function jsonSerialize() {
+   *     - It is insecure in $string to have @ or % placeholders within the "<"

"@variable" or "%variable"

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -180,6 +170,28 @@ public function jsonSerialize() {
+   *       - Insecure: @code <@variable>text</@variable> @endcode
+   *       - Insecure: @code <a @variable>link text</a> @endcode
+   *       - Insecure: @code <a href="@variable">link text</a> @endcode
+   *       - Insecure: @code <a title="@variable">link text</a> @endcode
+   *       - Insecure: @code <a href=":variable" title="@variable">link text</a>@endcode

Should these have more explanation about why these are insecure (see the removed code on top of this patch)?

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -180,6 +170,28 @@ public function jsonSerialize() {
+   *     - The : placeholder should be used for HTML "href" attribute values,

":variable" placeholder

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -180,6 +170,28 @@ public function jsonSerialize() {
+   *       - Insecure: @code <img src=":variable" />@endcode

This is not insecure, just unsupported :)

Comment #28

jhodgdon

she/her

English

CreditAttribution: jhodgdon commented 22 December 2015 at 19:58

Status:

Needs review

» Needs work

Status was wrong, per last review.

Comment #29

22 December 2015 at 19:58

Version:

8.0.x-dev

» 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #30

22 December 2015 at 19:58

Version:

8.1.x-dev

» 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #31

22 December 2015 at 19:58

Version:

8.2.x-dev

» 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #32

22 December 2015 at 19:58

Version:

8.3.x-dev

» 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #33

22 December 2015 at 19:58

Version:

8.4.x-dev

» 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #34

22 December 2015 at 19:58

Version:

8.5.x-dev

» 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #35

22 December 2015 at 19:58

Version:

8.6.x-dev

» 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Comment #36

jungle

He/Him

Chongqing, China

CreditAttribution: jungle as a volunteer commented 27 March 2020 at 01:32

Version:

8.8.x-dev

» 8.9.x-dev

Comment #37

27 March 2020 at 01:32

Version:

8.9.x-dev

» 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Comment #38

nikitagupta CreditAttribution: nikitagupta at Srijan | A Material+ Company for Drupal India Association commented 28 May 2020 at 07:33

Assigned:

Unassigned

» nikitagupta

Comment #39

nikitagupta CreditAttribution: nikitagupta at Srijan | A Material+ Company for Drupal India Association commented 31 May 2020 at 08:47

Assigned:	nikitagupta	» Unassigned
Status:	Needs work	» Needs review

File	Size
2580505-39.patch	8.11 KB
9.1.x: PHP 7.4 & MySQL 5.7 Patch Failed to Apply

Reroll the Patch #26 also covers #27.

Comment #40

nikitagupta CreditAttribution: nikitagupta at Srijan | A Material+ Company for Drupal India Association commented 26 June 2020 at 05:57

File	Size
2580505-39.patch	8.11 KB
9.1.x: PHP 7.4 & MySQL 5.7 27,350 pass

Reroll the Patch #26 also covers #27.

Comment #41

davidhernandez

English

USA

CreditAttribution: davidhernandez at FFW commented 29 July 2020 at 03:29

+ * - The result of casting this object to a string should not be used within

I had trouble reading this at first. It might read better was "The result from casting..."

+ * placeholder value to be wrapped in an em tag with a placeholder class.

Should the "em" here be capitalized? I'm not sure if there is a standard. Examples I checked around core are inconsistent.

Comment #42

nikitagupta CreditAttribution: nikitagupta at Srijan | A Material+ Company for Drupal India Association commented 4 August 2020 at 11:45

File	Size
2580505-42.patch	8.11 KB
9.1.x: PHP 7.4 & MySQL 5.7 27,464 pass
interdiff_39-42.txt	1.37 KB

Comment #43

4 August 2020 at 11:45

Version:

9.1.x-dev

» 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Comment #44

Abhijith S CreditAttribution: Abhijith S as a volunteer and at Zyxware Technologies commented 23 April 2021 at 11:04

File	Size
2580505-44.patch	8.12 KB
9.2.x: PHP 7.3 & MySQL 5.7 28,222 pass 10.1.x: PHP 8.1 & MySQL 5.7 28,482 pass

File

Size

2580505-44.patch

8.12 KB

9.2.x:
PHP 7.3 & MySQL 5.7 28,222 pass

10.1.x:
PHP 8.1 & MySQL 5.7 28,482 pass

Fixed the CS issue in patch #43.
142 | WARNING | Line exceeds 80 characters; contains 81 characters

Comment #45

23 April 2021 at 11:04

Version:

9.2.x-dev

» 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Comment #46

23 April 2021 at 11:04

Version:

9.3.x-dev

» 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Comment #47

23 April 2021 at 11:04

Version:

9.4.x-dev

» 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Comment #48

23 April 2021 at 11:04

Version:

9.5.x-dev

» 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Comment #49

smustgrave CreditAttribution: smustgrave at Mobomo commented 24 November 2022 at 16:42

Running 10.1 tests if they pass I'll mark RTBC.

Comment #50

smustgrave CreditAttribution: smustgrave at Mobomo commented 25 November 2022 at 17:18

Status:

Needs review

» Reviewed & tested by the community

Comment #51

longwave

he/him

English

CreditAttribution: longwave at Full Fat Things commented 25 November 2022 at 18:18

Status:

Reviewed & tested by the community

» Needs work

Unfortunately the formatting needs a bit of work still:

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,35 +113,47 @@ public function jsonSerialize() {
    *       using \Drupal\Component\Utility\Html::escape().
...
+   *       A call like:

These lines can be wrapped together.

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,35 +113,47 @@ public function jsonSerialize() {
+   *     - %variable: Use when @variable would be appropriate, but you want the
+   *     placeholder value to be wrapped in an <em> tag with a

Indentation is off here in the first line.

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,35 +113,47 @@ public function jsonSerialize() {
    *     @code
...
+   *     $this->placeholderFormat('Prefix %output_text', ['%output_text' => 'text output.']);
    *     @endcode

Indentation is off here.

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -134,35 +113,47 @@ public function jsonSerialize() {
+   *     - :variable: Use when the return value is to be used as a URL value of

Indentation is off here.

Comment #52

smustgrave CreditAttribution: smustgrave at Mobomo commented 25 November 2022 at 18:28

Status:

Needs work

» Needs review

File	Size
interdiff-44-52.txt	2.14 KB
2580505-52.patch	8.18 KB
10.1.x: PHP 8.1 & MySQL 5.7 28,482 pass

5 files were hidden/shown/deleted

File	Size
2580505-39.patch	8.11 KB
9.1.x: PHP 7.4 & MySQL 5.7 Patch Failed to Apply
2580505-39.patch	8.11 KB
9.1.x: PHP 7.4 & MySQL 5.7 27,350 pass
2580505-42.patch	8.11 KB
9.1.x: PHP 7.4 & MySQL 5.7 27,464 pass
interdiff_39-42.txt	1.37 KB
2580505-44.patch	8.12 KB
9.2.x: PHP 7.3 & MySQL 5.7 28,222 pass 10.1.x: PHP 8.1 & MySQL 5.7 28,482 pass

Easy fixes

Comment #53

longwave

he/him

English

CreditAttribution: longwave at Full Fat Things commented 28 November 2022 at 12:22

Status:

Needs review

» Needs work

Two more nits and a wider comment:

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -136,35 +115,47 @@ public function jsonSerialize() {
+   *       using \Drupal\Component\Utility\Html::escape(). A call like:
+   *
+   *       @code

Blank line isn't needed here.

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -136,35 +115,47 @@ public function jsonSerialize() {
+   *     - :variable: Use when the return value is to be used as a URL value of
+   *       an HTML attribute. Only the "href" attribute is supported.
+   *     Return value is escaped with

Indentation is still off here; the first two lines need to go back in by two spaces. Also it looks like this entire paragraph can be rewrapped at closer to 80 characters.

+++ b/core/lib/Drupal/Component/Render/FormattableMarkup.php
@@ -182,6 +173,31 @@ public function jsonSerialize() {
+   *   In $string, only the "href" HTML attribute, which takes a URL as the
+   *   value, is supported via the special ":variable" placeholder. With the
+   *   "href" attribute, the ":variable" placeholder allows simple links to be
+   *   inserted:

This is a bit repetitive of the section above that mentions the :variable format. Should we combine the two?

Comment #54

smustgrave CreditAttribution: smustgrave at Mobomo commented 28 November 2022 at 19:43

Not the best technical writer. There a good tag to get some feedback on that?

Comment #55

28 November 2022 at 19:43

Version:

10.1.x-dev

» 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Improve FormattableMarkup documentation

Problem/Motivation

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Comments

Parent issue

Related issues

Referenced by