Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
The parent issue has this for one of the use cases of token::replace
(not always):
User-entered strings with markup should mean the return of Token::replace() is Xss::filter()d or explicitly trusted (i.e. marked as safe) and permission-restricted.
Except marked as safe is no longer possible. All the ways to do that is @internal or @deprecated . In my case $text
is admin provided and so it can be trusted and all the placeholders are escaped by token anyways:
$replacements[$token] = $value instanceof MarkupInterface ? $value : new HtmlEscapedText($value);
Proposed resolution
Add a TrustedTokenMarkup domain object? No idea really.
Remaining tasks
User interface changes
API changes
Data model changes
Comment | File | Size | Author |
---|
Comments
Comment #2
chx CreditAttribution: chx at Smartsheet commentedComment #3
chx CreditAttribution: chx at Smartsheet commentedTentative patch.
Comment #4
chx CreditAttribution: chx at Smartsheet commentedComment #6
chx CreditAttribution: chx at Smartsheet commentedComment #8
chx CreditAttribution: chx at Smartsheet commentedThese are relatively easy to fix. Needs review more than work.
Comment #9
chx CreditAttribution: chx at Smartsheet commentedComment #10
chx CreditAttribution: chx at Smartsheet commentedComment #11
chx CreditAttribution: chx at Smartsheet commentedComment #12
alexpottI think Token probably should have its own MarkupInterface object. And what's fun about this is that we could then delay replacement until render time - exactly the way we do with translated strings now.
Comment #13
alexpottI'm pretty sure we have more to do on the safeness of token replacement though. It's a super complex issue.
Comment #15
BerdirI think this is more or less a duplicate of #2580723: Fix token system confusion, with new function Token::replacePlain(), where I'm proposing something similar now, as a new method in a way that is as safe as possible (this is not).
Comment #16
chx CreditAttribution: chx at Smartsheet commented