Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
This is a follow-up to this issue which increased character limit. We should convert this input from a textfield to a textarea so there is no limitation on amount of allowed HTML tags. As a result of the previous issue there is a 2048 character limit, and while this is sufficient for many use cases, there are some which require more.
Proposed resolution
Convert from textfield type to textarea and sanitize the input from including newlines.
Remaining tasks
User interface changes
None
API changes
None
Data model changes
None
Comment | File | Size | Author |
---|---|---|---|
#50 | 2656278-50.patch | 4.38 KB | alexpott |
#50 | 48-50-interdiff.txt | 1.03 KB | alexpott |
#48 | 2656278-46.patch | 4.38 KB | alexpott |
#48 | 38-46-interdiff.txt | 858 bytes | alexpott |
#44 | filter-test.patch | 3.57 KB | droplet |
Comments
Comment #2
walangitan CreditAttribution: walangitan at Chromatic commentedComment #3
walangitan CreditAttribution: walangitan at Chromatic commentedPatch that converts textfield to a textarea, needs further work for handling newlines from being included in the text area - a copy of the original comment by swentel around this issue is below:
Comment #4
walangitan CreditAttribution: walangitan at Chromatic commentedComment #5
walangitan CreditAttribution: walangitan at Chromatic commentedComment #6
miteshmapAdded Js modification to remove new line.
Some extra changes are:
1. This is showing error when node is null.
2. Also can't able to access node.attributes when node is null. The very next line is finding .length. which needs to be passed empty string on null.
Comment #7
luca_cracco CreditAttribution: luca_cracco commentedI tested the patch #6 and it works for me.
Comment #8
ejb503 CreditAttribution: ejb503 at Zoocha commentedPatch also tested and working great, screenshot attached
Comment #9
gadaniels72 CreditAttribution: gadaniels72 as a volunteer commentedI also tested patch #6 and it works for me. Steps taken to test:
In all case, tests passed.
Comment #10
swentel CreditAttribution: swentel commentedI'm wondering if we should remove new lines also on save ? What if the person configuring does not have javascript ?
Comment #11
empesan CreditAttribution: empesan commentedPatch tested and it was a JS error when textarea is empty and you leave the textarea context: Uncaught TypeError: Cannot read property 'length' of null
So I've added new check condition in miteshmap (#6) patch to solve that.
Comment #12
gadaniels72 CreditAttribution: gadaniels72 as a volunteer commentedTesting #11:
With a text format that does not an editor, it works and does not throw the JS exception.
With a text format that uses the CKeditor,if I delete all the tags and save, the JS exception is gone now and the toolbar, when creating content that has a wysiwyg field, the toolbar is (correctly) empty (except for format and source buttons). However, when I go back to edit the configuration again, the tag list has re-populated to match the active toolbar. Only by editing the active toolbar (dragging the buttons off) can I make the tags not show back up in the allowed tags field when I reload the form.
This behavior did not happen with patch #6; in that case, on the configuration page, the displayed active toolbar remains the default (with buttons for bold, italic, etc) but the allowed tags field remains empty. On adding content, the editor shows the same format and source buttons only.
Comment #13
malaimo29001 CreditAttribution: malaimo29001 as a volunteer commentedI have also reviewed the patch against Drupal git branch origin/8.0.x.
It is working:
1.) Change from text to textfield input.
2.) The 2048 restriction has been removed.
After review two potential size restraints based upon PHP and Database could occur:
1.) There is still a limit imposed by PHP's post_max_size configuration setting, which by default would allow 8 Megabytes or the php_memory_limit which could be less than 8 Megabytes in the event restricting or allowing a large amount of data to be entered into the database field.
http://php.net/manual/en/ini.core.php#ini.post-max-size
2.) In addition a user could potentially enter a value as large as the database type for the field which in MySQL is longblob. This could be an enormous amount of data.
http://dev.mysql.com/doc/refman/5.7/en/storage-requirements.html
This is good, but does anyone think that we should just impose a larger size for the textfield HTML restricted tags list so that it cannot be maxed out as described above? I understand that was not the original design of the task or patch, but it could mitigate the page from not submitting due to application error in addition to keeping the data manageable even for that one field.
Comment #14
vaidehi bapat CreditAttribution: vaidehi bapat at TATA Consultancy Services for Pfizer, Inc. commentedWorking on this issue as a part of DrupalCon Asia 2016 Code Sprint
Comment #15
vaidehi bapat CreditAttribution: vaidehi bapat at TATA Consultancy Services for Pfizer, Inc. commentedI applied patch provided in #11. It fails to apply on latest 8.0.x branch. It needs to be recreated.
Comment #16
nileema.jadhav CreditAttribution: nileema.jadhav at TATA Consultancy Services for Pfizer, Inc. commentedI applied the patch on Drupal 8.0.x-dev version on PHP5.5 and patch applied correctly and working fine.
Comment #17
manmohandream CreditAttribution: manmohandream at Srijan | A Material+ Company commented#11 Works fine for me. Screenshot attached.
Comment #18
vaidehi bapat CreditAttribution: vaidehi bapat at TATA Consultancy Services for Pfizer, Inc. commentedOkay. I applied the patch on old version. In new version, it works fine. Thank you.
Comment #19
vaidehi bapat CreditAttribution: vaidehi bapat at TATA Consultancy Services for Pfizer, Inc. commentedComment #21
webchickLIVE FROM DRUPALCON ASIA WOOOOOOOO!!!
This was one of the patches we committed in live commit! Congrats to everyone!
xjm pointed out that swentel's comment wasn't yet addressed, so this may need some follow-up work done, but for now this looks like a totally great improvement over the status quo.
Because of the JS changes this one feels a bit risky to commit to 8.0.x, but let's go forward for 8.1.x. Yay!
Committed 5376602 and pushed to 8.1.x. Thanks!
Comment #22
alexpottSmall followup for JS standards - #2672690: Fix JS standards in filter.filter_html.admin.js
Comment #23
xjmI think we also need followups for #10 (swentel's comment about newlines) and #13:
Comment #24
nod_Wish eslint was used before commit, especially since the issue wasn't tagged with JavaScript.
Comment #25
droplet CreditAttribution: droplet commentedWOW! didn't know we created a follow up issue. Great!
#10++ and replacing \r\n
and #24++
Maybe revert it ?
Until a new patch or a follow up issue is created, I keep it Needs work :)
Comment #26
droplet CreditAttribution: droplet commentedComment #27
alexpottLet's leave this a fixed because we have a followup to address the issues and until eslint is run by testbot it is hard to enforce. Once it is - this will no longer happen.
Comment #28
alexpottHmmm.... actually looking at the javascript more closely I think we have a problem.
Well missing handling of a carriage return ie. \r - see https://stackoverflow.com/questions/10805125/how-to-remove-all-line-brea...
I think that the whole line break question should be resolved in PHP and not javascript tbh :( And then we can open a followup to discuss the UX of removing them with JS.
Sadly I think this should be reverted too.
Comment #30
alexpottHere's an example of how to remove all the line breaks in a string in PHP from
system_mail()
Comment #31
alexpottAlso looking at FilterHtml I'm not entirely sure that it even matters if new line characters are in this string - but that would need to be tested. So maybe we should just fix the js to handle new lines but not actually remove them. I'm not sure about this.
Comment #32
swentel CreditAttribution: swentel commentedShould also remplace \r\n - unless windows has gotten smarter these days.
Comment #33
alexpottSo actually the javascript changes were completely unnecessary after the changes in #2549077: Allow the "Limit allowed HTML tags" filter to also restrict HTML attributes, and only allow a small whitelist of attributes by default. Basically
Strips all new lines outside of tags. It then uses the the browser to create elements of all the tags so spaces and returns don't (appear to) matter either - but maybe someone who worked on #2549077: Allow the "Limit allowed HTML tags" filter to also restrict HTML attributes, and only allow a small whitelist of attributes by default can confirm because the JS is quite complex.
Comment #35
alexpottThe interdiff is correct but the patch was not right because of the revert...
Comment #37
alexpottComment #38
alexpottHere's the patch - for some reason I can't upload patches today...
Comment #39
droplet CreditAttribution: droplet commentedIn fact, for this issue's purpose we only need these few lines.
Here's another problem of it didn't clean the data correctly ( Set & Get Raw data ) (that's why tests failed)
Comment #40
alexpott@droplet I disagree that we only need those lines - given that users can now add line breaks we should handle them in PHP so that it does not matter whether a user has JS enabled or not. With only those few lines and JS enabled line breaks would be removed but with JS disable line breaks would be saved. That is an inconsistency introduced by this patch and so should be solved here.
Comment #41
droplet CreditAttribution: droplet commented@alexpott,
I meant it's more than line break, you can adding whatever there now.
Comment #42
alexpott@droplet true tabs and all sorts... some of this was possible in the textfield days though too. I'd like to get this to the point where it does not matter if you have JS enabled or not you get the same result...
Atm without JS if you enter
<em >
it'll be saved like that - with JS it'll be saved as<em>
. More problematically is<br/>
with without JS is saved without modification but with JS it is saved (correctly) as<br>
- but this is an existing issue and for followup.Comment #43
Wim Leers#33: Confirmed that the JS already handles newlines just fine:
#40: Agreed. This needs to work correctly even when JS is off. You can easily prove that this is or isn't necessary, by updating the test coverage for
\Drupal\filter\Plugin\Filter\FilterHtml::getHTMLRestrictions()
to have anallowed_html
setting that contains newlines and carriage returns.#1936392: Configure CKEditor's "Advanced Content Filter" (ACF) to match Drupal's text filters settings is the issue that originally introduced
::getHTMLRestrictions()
. Its test coverage lives at\Drupal\filter\Tests\FilterAPITest::testFilterFormatAPI()
. Another possibility is expanding the test coverage in\Drupal\Tests\filter\Unit\FilterHtmlTest
.Comment #44
droplet CreditAttribution: droplet commentedComment #45
alexpott@droplet it was already possible to put garbage in here - this patch does not change that what it changes is the possibility of putting line breaks which you changed #38 from testing for some reason not explained in #44. And yes the current JS will clean up comments and the PHP will not that is what the follow up described in #42 will address.
Comment #47
droplet CreditAttribution: droplet commented@alexpott,
#44, I just wonder if the test cases didn't catch it correctly.
I also agree to keep it same, no matter with/without JS. I just thought we can do them all at once in another issue.
Comment #48
alexpott@droplet but it is this issue that introduces the new line problem so we have to handle it here. Existing issues we don;t have to handle here.
Here's the unit test the @Wim Leers asked for.
Comment #49
droplet CreditAttribution: droplet commentedI'm not argue with it anyway :). It's fine to me. Let's move it forward!!!
If I understand it correctly, here's not remove new lines.
** Free Talk, Don't Read: **
General speaking, you're right. Technically, nope. We still able to add line break in text input (OK. this is really not regular users can do). And if we only deal with the problem we introduce now, we should not take the space out. :P
Comment #50
alexpott@droplet because it leads to a better more elegant solution
This removes new lines, tabs, spaces... any whitespace characters:
\t\n\x0B\f\r
With this patch both the JS and PHP remove new lines.
Comment #51
droplet CreditAttribution: droplet commentedAhh right, Sorry! Needs some fresh air.
Comment #52
Swetha Yarla CreditAttribution: Swetha Yarla at Melity commentedComment #53
johnmcc CreditAttribution: johnmcc as a volunteer commentedPatch #50 tested against 8.1.x. It applied cleanly and worked properly.
Comment #54
Swetha Yarla CreditAttribution: Swetha Yarla at Melity commentedComment #55
swetashahi CreditAttribution: swetashahi at Srijan | A Material+ Company commentedComment #56
xjmHi @Swetha Yarla and @swetashahi,
When you assign issues to yourselves, can you please also add a comment explaining what you intend to do with the issue?
Comment #58
svogt CreditAttribution: svogt commentedI am reviewing this at the drupalcon 2016 mentored sprints session.
Comment #59
svogt CreditAttribution: svogt commentedI am reviewing this at drupalcon 2016.
Comment #60
droplet CreditAttribution: droplet commentedMy concern on #39, we can dicuss in public now: #2725255: Unfiltered data in "Allowed HTML tags"
Comment #64
swetashahi CreditAttribution: swetashahi at Srijan | A Material+ Company commentedComment #68
jamesdeee CreditAttribution: jamesdeee as a volunteer commentedI'm going to review this now...
Comment #69
jamesdeee CreditAttribution: jamesdeee as a volunteer and at manifesto commentedHi there,
I've tested this out on 8.4 in Simplytest.me. I:
- Added an
into the allowed list for filtered HTML with several newlines after it, then saved. The newlines are stripped out
- Added lots of tags (7872 characters in all). The field saved fine
- Tried to recreate the issue raised by @gadaniels72 above by creating a node using a WYSIWYG format, saving it then checking the allowed tags in the configuration, and I cannot replicate it.
Comment #70
xjmThis is a great change! I have totally hacked sites before to make exactly this improvement.
There seem to be about eight copies of the screenshot in the summary for some reason. Removing that and saving issue credit...
Comment #72
xjmIt looks like the original reasons this was reverted have been addressed, and as a bonus, it now has a JS maintainer's review and also test coverage. Thanks @jamesdesq for clearly documenting your manual testing.
There was one coding standard error:
I fixed that on commit:
Committed to 8.4.x! I'm also so keen on this change that I backported it to the 8.3.x alpha as a nice usability improvement for the minor.
Comment #74
xjmComment #76
jamesdeee CreditAttribution: jamesdeee as a volunteer and at manifesto commented@xjm - I just wanted to say thanks for the acknowledgement above! It was the first time anyone had thanked me for working on a Drupal ticket, and it inspired me to go on and pick up some more issues.