Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
- Default filter order of
@Filter=filter_html_image_secure
(on by default) +@Filter=entity_embed
(added by this module) results in this when embedding images:
- Default filter order of
@Filter=filter_align
(on by default) +@Filter=filter_caption
(on by default) +@Filter=entity_embed
(added by this module) results in this when embedding media:
<figure role="group"> <article class="embedded-entity align-right"> <div> <div class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="field field--name-field-media-image field--type-image field--label-hidden field--item"> <img src="/sites/doc/files/styles/medium/public/2018-02/nice_image.png?itok=4x0LQDwY" width="315" height="240" alt="Alt text goes here" typeof="foaf:Image" class="img-responsive"> </div> </div> </div> </div> </article> <figcaption>Fancy Caption Goes Here</figcaption> </figure>
As proven by
\Drupal\Tests\filter\Kernel\FilterKernelTest::testAlignAndCaptionFilters()
, thedata-align="center"
(for example) should result in<figure … class="align-center">
.
Proposed resolution
- Document + automate
@Filter=filter_html_image_secure
running BEFORE@Filter=entity_embed
- Document + automate
@Filter=filter_align
+@Filter=filter_caption
+@Filter=entity_embed
— order TBD
Remaining tasks
- Determine correct order for align/caption/entity embed filters
- The existing test coverage in
\Drupal\entity_embed\Tests\EntityEmbedFilterTest::testFilter()
should be expanded.
User interface changes
None.
API changes
None.
Data model changes
None.
Release notes snippet
/
Comment | File | Size | Author |
---|---|---|---|
#42 | 2752253-42.patch | 10.92 KB | Wim Leers |
| |||
#42 | 2752253-42_tests_only_FAIL.patch | 5.59 KB | Wim Leers |
#41 | 2752253-41.patch | 5.39 KB | Wim Leers |
| |||
#41 | interdiff.txt | 1.2 KB | Wim Leers |
#39 | 2752253-39.patch | 5.74 KB | Wim Leers |
Comments
Comment #2
marcoscanoComment #3
samuel.mortensonI believe this is an Entity Embed issue, as the actually embedding happens outside of File Browser's domain. Should we move this issue to their queue?
Comment #4
dagmarActually, you only have to change the order of the filters, not disable them.
Comment #5
samuel.mortenson@dagmar What order should the filters be in? I can go ahead and update the project description with this information if it will help users.
Comment #6
dagmarSure. Actually this belogns to entity embed project.
The
entity embed filter
should be placed after theRestrict images to this site
Comment #7
slashrsm CreditAttribution: slashrsm at MD Systems GmbH commentedI've noticed this problem in the past too. However, I think that I've seen it working on some sites. If that is true it could indicate that this problem depends on the environment configuration.
Adding a note to the docs is a simple first step, but I think that we should check why that happens and make sure image URLs are built in a way that avoids this problem.
Comment #8
marcoscanoI have just reproduced this on a clean install, the steps are:
- Simplytest.me, install & enable entity_embed (+embed) and media_entity_image (+media_entity +entity)
- Go to
admin/structure/media
, create an image bundle, with an image source field- Go to
admin/config/content/embed/button/add
and create an embed button to add this media image- Edit a text format (say
admin/config/content/formats/manage/basic_html
), and perform the following actions:* Drag the recently created embed button to the ckeditor toolbar
* Check the setting
Display embedded settings
to enable the filter- Go to
/media/add
and create an image entity- Go to
/node/add/article
, and try to embed the image entity you created in the previous step:* Click on the embed button
* Select the image on the autocomplete
* Select the Thumbnail formatter, for example
* Click on "Embed"
At this point we already see that the image is being filtered out and the error message is shown as Alt on the error icon:
If we go back to the text format config page (in this case
admin/config/content/formats/manage/basic_html
) and re-order the filters, by dragging theDisplay embedded entities
to be placed just after theRestrict images to this site
(as @dagmar said in #6), then the last step can be completed and the image entity is embedded without any problems.Having a note on the documentation of both projects (entity_embed and file_browser) would certainly improve the user experience IMHO.
Comment #9
marcoscanoComment #10
Wim LeersRelated: #2969704: Document correct filter_align + filter_caption + entity_embed filters order, write tests, and ensure correct by default. Merging that into this issue. Updated IS.
Comment #11
Wim LeersThis blocks #2614350: entity_embed's text filter should be enabled by default … but in which text formats?.
Comment #12
marcoscanoWIP patch.
As it turns out
\Drupal\filter\Plugin\Filter\FilterHtmlImageSecure
hasweight = 9
in its annotation, so I guess setting 10 as our default weight should be enough for issue #1.For issue #2, neither of those filters have default weight specified (0) , so it's impossible for us to have our default run before that and after
filter_html_image_secure
. Should we modify the plugin definition and hack their default values? Maybe we can get away just with the validation logic to avoid that?Also, I couldn't quite get the
<figcaption>
thing working as described in the IS, I'm probably missing something, will continue on this tomorrow.Comment #13
Wim LeersI'd argue that wouldn't be a hack, but a minor improvement. See
filter.format.basic_html.yml
:and
filter.format.full_html.yml
:IOW: the two default formats in core are already enabling those two filters and are making them run early.
Shouldn't
\Drupal\entity_embed\Plugin\Filter\EntityEmbedFilter
run before\Drupal\filter\Plugin\Filter\FilterHtmlImageSecure
?Neither can I. I just tried to reproduce this. I:
/admin/config/content/embed
, created a embed button/admin/config/content/formats/manage/basic_html
and turned on the filter + dragged the "Media" button I just created into the active toolbar/node/add/article
and inserted an image from my Media Library, aligned it to the center and captioned itSo given that … I'm not sure about the correctness of
FilterHtmlImageSecure
, see #2528214-51: "Restrict images to this site" blocks image style derivatives.Conclusion: AFAICT there's nothing we need to do here, except document explicitly that the current default weight of zero is fine, and this filter should run:
but that #2528214: "Restrict images to this site" blocks image style derivatives really needs to be fixed.
Comment #14
marcoscanoI missed completely the shipped config files, thanks for pointing that out!
Would it be worth adding validation to the form to enforce this order is respected? (since we know if they are outside of this order things won't work).
Comment #15
Wim LeersYes! That'd allow us to have much more confidence that it's working correctly.
This only works on the form. Ideally … we'd be able to surface this in the status report. Then existing sites would also benefit from this.
But that would require the validation to live at the config level, and that'd pretty much mean blocking this on #2869792: [meta] Add constraints to all config entity types, which would be silly.
So I'm fine with doing this only at the form level. That's pragmatic.
Comment #16
marcoscanoAs discussed, let's leave the interaction with the "restrict images to this site only" filter to be solved in core, which is where it belongs, and keep our validation only checking the order respect to the alignment and caption filters.
I'll work on that next.
Comment #17
Wim LeersAs discussed: #2528214-53: "Restrict images to this site" blocks image style derivatives:
Comment #18
marcoscanoI've added some help text as well to the filter description, I hope that helps more than it confuses things... :)
(no interdiff because the patch is completely different from the previous one)
Comment #19
Wim LeersDoesn't actually work yet because this contains strings; the string
"0"
is considered "empty" byempty()
."Entity Embed" is not the actual label of this filter.
More importantly: the
>=
condition should be<=
.Comment #20
Wim LeersLogic is simplifiable.
Comment #21
phenaproximaRemoving defunct D8Media tag.
Comment #22
marcoscano#20: 👍
Thanks!
Comment #23
phenaproximaVery useful patch, and makes sense to me. Couple of things...
This seems like a strange and somewhat unreliable way of getting the filter label. Can we use the filter plugin manager to retrieve it directly from the plugin definition instead?
The key here looks like copypasta...
Comment #24
Wim LeersIf we need to consider this unreliable, then we also need to consider this form-based validation logic unreliable. Because that too depends on the form structure remaining the same.
Like I said in #15, ideally this would be implemented using validation constraints. But that'd block this on #2869792: [meta] Add constraints to all config entity types, which doesn't make sense.
Comment #25
marcoscano👍
Comment #27
phenaproximaCommitted and pushed, thanks!
Comment #28
Wim LeersYay, #2614350: entity_embed's text filter should be enabled by default … but in which text formats? is now unblocked!
Comment #29
Wim LeersLooking at this again, I think we need to re-evaluate this.
Even though I managed to convince @marcoscano, I think he was right after all :)
One of the consequences of running the
entity_embed
filter before the alignment filter is that it results in a caption with a class ofcaption-article
for entities, rather thancaption-entity-embed
. IOW: we lose the semantics of what we're captioning. IOW: letting captioning and alignment filters run before the Entity Embed filter, unlike what I said before.If we do that, then we might as well run the Entity Embed filter last, which then also achieves @marcoscano's point, which I originally felt wasn't as important, but now I've become convinced it's actually better: it means that no filters will ever mess with content (HTML) transcluded (embedded) from other sources (entities or otherwise), which is great. Filters exist for securing and transforming user input, and transcluded/embedded content is not user input.
On top of that, this makes it much easier to explain to site builders how to fix their site.
Patch attached.
Comment #30
oknateManually testing I found two bugs. This error displays even if the Caption images filter isn't enabled:
"The Display embedded entities filter needs to be placed after the Caption images filter".
It needs to check $filters['filter_caption']['status'] as well. If status is 0, no comparison is needed, and no error should be thrown.
Also there's a copy error here:
it should be comparing filter_html_image_secure's weight here not filter_caption.
Comment #31
oknateComment #32
Wim Leers👌🙏
Comment #33
oknatefix the two issues above. Since the code is checking the same thing on all three, I put it in a loop.
Comment #34
oknateComment #35
oknateIt would be great to get this fixed. I'm trying to write functional tests and I'm having to include extra code to account for this bug where you must enable align filter and caption filter in order to enable entity embed filter.
You shouldn't have to enable filter_caption and filter_align in order to enable the entity_embed filter!
Comment #36
marcoscanoThanks for fixing this!
I've reviewed and manually tested #33, and I have just a couple remarks:
Could this perhaps be simplified into:
if (empty($filters[$filter_name]['status']) {
?
With the current code, if entity embed is before all three, only the first error message will be shown:
The Display embedded entities filter needs to be placed after the Align images filter.
I think it would be better to store in a variable
$errored_filters
all filters that have weight >= entity embed's weight, and then show a single message such as:The Display embedded entities filter needs to be placed after the following filters: Foo, Bar, Baz.
Comment #37
Wim LeersWith the JSON:API core patch finally having reached RTBC yesterday, I will look at this (and other Media issues) again starting tomorrow! Now going back to enjoy my day off :)
Comment #38
oknatePer feedback in #33, simplified empty check and updated to use format plural. I renamed some variables to make them clearer.
Comment #39
Wim LeersThanks @oknate and @marcoscano for pushing what I did in #29 to completion :)
#validate
callback). Ideally, we'd be using validation constraints. #2969065: Use typed config validation constraints for validation of cdn.settings simple config has shown this is possible. But it requires validating the entire config entity, and it's not up to a particular contrib module (like this one) to enable that forFilterFormat
config entities: if multiple contrib modules do this, we'd validate multiple times. Plus, it's possible some contrib modules get their validation constraints wrong. So … not holding this back for that. Especially if nothing in core is doing this today anyway.Comment #41
Wim LeersOops, I deleted a bit too much from what #3022754: @EntityEmbedDisplay=image plugin: no image-specific warning displays when invalid image selected added :)
Comment #42
Wim LeersAnd here are tests. The failing test-only patch is also the interdiff.
Comment #44
Wim Leers🥳
Comment #46
Wim LeersComment #47
oknateHere's a nit:
It's colloquial to leave out the noun and start with the verb "should". Perhaps we should be a bit more formal and change:
"Should usually run as the last filter,"
to
"This should usually run as the last filter,"
Sorry I didn't get this in before it was merged. It's not a blocker.
Thanks, Wim for getting this issue committed! Awesome.
Comment #48
Wim LeersI'm sure a lot of language in this module could use tightening. If you'd like to improve that, I suggest you create an issue specifically for UI string improvements :) Then all the credit will be yours too ;) :D
Comment #49
oknateSure, we crossed streams as you were committing. Thanks for getting this in!
Comment #50
Wim LeersCreated change record: https://www.drupal.org/node/3051742