Problem/Motivation

API page: https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Component%21Util...

> array $html_tags: An array of HTML tags.

That's nice. What are they for?

Steps to reproduce

Proposed resolution

  1. Change the comment to "An array of allowed html tags"
  2. Change the parameter name to $allowed_html_tags

Remaining tasks

Review patch

User interface changes

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#48 diff-23-36.txt1.11 KBquietone
#36 2800691-36.patch1.98 KBbharath-kondeti
#31 2800691-30.patch2 KBbharath-kondeti
#27 interdiff_23-27.txt576 bytessahil.goyal
#27 2800691-27.patch2.02 KBsahil.goyal
#23 interdiff_19_23.txt497 bytesRishabh Vishwakarma
#23 2800691-23.patch1.99 KBRishabh Vishwakarma
#19 2800691-19.patch1.98 KBdjsagar
#19 interdiff_16-19.txt1.87 KBdjsagar
#16 interdiff_3-16.txt597 bytesravi.shankar
#16 2800691-16.patch577 bytesravi.shankar
#3 filter_xss-2800691-3.patch583 bytesshashikant_chauhan

Issue fork drupal-2800691

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

joachim created an issue. See original summary.

shashikant_chauhan’s picture

shashikant_chauhan CreditAttribution: shashikant_chauhan as a volunteer and at Iksula commented
Assigned: Unassigned » shashikant_chauhan
shashikant_chauhan’s picture

shashikant_chauhan CreditAttribution: shashikant_chauhan as a volunteer and at Iksula commented
Status: Active » Needs review
FileSize
filter_xss-2800691-3.patch583 bytes

Adding patch.

Chi’s picture

Chi CreditAttribution: Chi commented

We can make step further and rename the parameter to $allowable_tags (same as in strip_tags PHP function).

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone CreditAttribution: quietone commented
Version: 9.4.x-dev » 9.5.x-dev
Assigned: shashikant_chauhan » Unassigned
Category: Bug report » Task
Issue summary: View changes
Status: Needs review » Needs work

Discussed this issue at a documentation triage meeting, myself and ambermatz were present. We agreed to un-assign this since it has not been worked on since 2016, that this is a task, that "An array of allowed html tags" is preferred. I have updated the IS.

Amber Himes Matz’s picture

Amber Himes Matz
she/her
Primary language English
Location Portland, OR USA
CreditAttribution: Amber Himes Matz at Drupalize.Me commented

I like the idea of changing the variable name to $allowable_tags as suggested in #4.

ravi.shankar’s picture

ravi.shankar CreditAttribution: ravi.shankar at OpenSense Labs commented
Status: Needs work » Needs review
FileSize
2800691-16.patch577 bytes
interdiff_3-16.txt597 bytes

Made changes as per comment #14.

I think we could also use $allowable_html_tags instead of $allowable_tags.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Status: Needs review » Needs work
Issue tags: +Needs Review Queue Initiative

This issue is being reviewed by the kind folks in Slack, #need-reveiw-queue. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge require as a guide.

Think a good middle ground would be to use allowable_html_tags per #16.

If someone could make the quick change. I can mark it.

djsagar’s picture

djsagar CreditAttribution: djsagar at OpenSense Labs commented
FileSize
interdiff_16-19.txt1.87 KB
2800691-19.patch1.98 KB

Tried to address the changes mentioned in #18.
Changed only for first method.

djsagar’s picture

djsagar CreditAttribution: djsagar at OpenSense Labs commented
Status: Needs work » Needs review
smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Status: Needs review » Reviewed & tested by the community

Thanks!

quietone’s picture

quietone CreditAttribution: quietone at PreviousNext commented
Title: Xss::filter() doesn't explain the $html_tags parameter » Improve docs for the Xss::filter() $html_tags parameter
Status: Reviewed & tested by the community » Needs work 
+++ b/core/lib/Drupal/Component/Utility/Xss.php
@@ -45,8 +45,8 @@ class Xss {
+   * @param array $allowable_html_tags

The value can also be Null, so "array|null". But I believe the array is a sting array, if that is correct, this is then "string[]|null"

Rishabh Vishwakarma’s picture

Rishabh Vishwakarma CreditAttribution: Rishabh Vishwakarma at OpenSense Labs for DrupalFit commented
Status: Needs work » Needs review
FileSize
2800691-23.patch1.99 KB
interdiff_19_23.txt497 bytes

Updated the patch as per #23

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Status: Needs review » Reviewed & tested by the community

Thanks

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 23: 2800691-23.patch, failed testing. View results

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented

Random

sahil.goyal’s picture

sahil.goyal CreditAttribution: sahil.goyal as a volunteer and at Srijan | A Material+ Company for Drupal India Association commented
FileSize
2800691-27.patch2.02 KB
interdiff_23-27.txt576 bytes

Update the #23 try to resolve the assertion failure.

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Status: Needs work » Reviewed & tested by the community

27 was not needed as the failure in 23 was random

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch at Third and Grove commented
Status: Reviewed & tested by the community » Needs work

#23 looks good but no longer applies.

bharath-kondeti made their first commit to this issue’s fork.

bharath-kondeti’s picture

bharath-kondeti CreditAttribution: bharath-kondeti as a volunteer and at Specbee commented
FileSize
2800691-30.patch2 KB

#23 was not applying. I have tried creating a new patch. It works for me, please review the same.

bharath-kondeti opened merge request !3946

bharath-kondeti’s picture

bharath-kondeti CreditAttribution: bharath-kondeti as a volunteer and at Specbee commented
Status: Needs work » Needs review

Raised an MR for the same https://git.drupalcode.org/project/drupal/-/merge_requests/3946

FeyP’s picture

FeyP CreditAttribution: FeyP as a volunteer and at werk21 commented
Status: Needs review » Needs work
Issue tags: +Needs issue summary update

This issue is being reviewed by the kind folks in Slack, #need-reveiw-queue. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge require as a guide.

LGTM, but needs an issue summary update in proposed resolution and remaining tasks. Tagging for that.

I also wonder, since we now use "allowable" in the variable name, shouldn't we also use "allowable" in the parameter description instead of "allowed"? But I'm not a native speaker, so I'm not really sure about that one. Also, as a non-native speaker, I had to look up "allowable" in a dictionary whereas I knew what "allowed" was, even though I think my English is not that bad actually. But that's just me. After having done that, I agree that it is probably the more accurate term to use, though.

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented

I think allowed_html_tags reads better.

bharath-kondeti’s picture

bharath-kondeti CreditAttribution: bharath-kondeti as a volunteer and at Specbee commented
FileSize
2800691-36.patch1.98 KB

Updated the patch as per #34 and #35

FeyP’s picture

FeyP CreditAttribution: FeyP as a volunteer and at werk21 commented
Status: Needs work » Needs review

Thanks. Let's update the issue status to "Needs review" so that the tests will run.

FeyP’s picture

FeyP CreditAttribution: FeyP as a volunteer and at werk21 commented
Issue summary: View changes
Issue tags: -Needs issue summary update

Updated the IS.

FeyP’s picture

FeyP CreditAttribution: FeyP as a volunteer and at werk21 commented
Status: Needs review » Reviewed & tested by the community

This issue is being reviewed by the kind folks in Slack, #need-reveiw-queue. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request as a guide.

Thanks. The code looks good, #34 and #35 are addressed, the tests pass. I also tested the patch manually on 10.1.x-dev. I think this is RTBC.

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 36: 2800691-36.patch, failed testing. View results

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Status: Needs work » Reviewed & tested by the community

Random

BramDriesen’s picture

BramDriesen
he/him
Primary language Dutch
Location Belgium 🇧🇪🇪🇺
CreditAttribution: BramDriesen as a volunteer and at Sopra Steria commented

Triggered a re-test.

@smustgrave You know there is a typo in your issue template? :-) #need-reveiw-queue (reveiw -> review)

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 36: 2800691-36.patch, failed testing. View results

FeyP’s picture

FeyP CreditAttribution: FeyP as a volunteer and at werk21 commented
Status: Needs work » Reviewed & tested by the community
Related issues: +#3361121: [random test failure] InstallerExistingConfig[SyncDirectory]MultilingualTest::testConfigSync

Another random test failure, retest was green, see #3361121: [random test failure] InstallerExistingConfig[SyncDirectory]MultilingualTest::testConfigSync, back to RTBC per #39.

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 36: 2800691-36.patch, failed testing. View results

BramDriesen’s picture

BramDriesen
he/him
Primary language Dutch
Location Belgium 🇧🇪🇪🇺
CreditAttribution: BramDriesen as a volunteer and at Sopra Steria commented
Status: Needs work » Reviewed & tested by the community

Triggered retest

quietone’s picture

quietone CreditAttribution: quietone at PreviousNext commented
FileSize
diff-23-36.txt1.11 KB

Triaging the RTBC queue.

Thank you @FeyP, for asking for an Issue Summary update. That helps a great deal!

I see that catch thought the patch in #23 was good and after that it was rerolling. It is confusing when there is both a patch workflow and an MR on issue. :-( It looks like the patch in #36 is the one to use. However, there are no interdiffs for that or the previous patch. I have added one.

All the issues have been addressed and this is good to go. I have updated credit, including myself and @Amber Himes Matz due to the triage work done in a documentation meeting.

@bharath-kondeti, Thanks for helping on this issue. To help reviewers always add an interdiff, or a diff, whichever is appropriate. There are instructions for creating an interdiff.

longwave’s picture

longwave
he/him
Primary language English
Location UK
CreditAttribution: longwave at Full Fat Things commented
Status: Reviewed & tested by the community » Needs work 
+++ b/core/lib/Drupal/Component/Utility/Xss.php
@@ -45,8 +45,8 @@ class Xss {
+   *   An array of allowed html tags.

"HTML" in the comment should be in upper case.

BramDriesen’s picture

BramDriesen
he/him
Primary language Dutch
Location Belgium 🇧🇪🇪🇺
CreditAttribution: BramDriesen as a volunteer and at Sopra Steria commented
Status: Needs work » Needs review
smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Status: Needs review » Reviewed & tested by the community

  • longwave committed 02c6babe on 10.1.x 
    Issue #2800691 by bharath-kondeti, djsagar, ravi.shankar, Rishabh...

  • longwave committed 8624038a on 11.x 
    Issue #2800691 by bharath-kondeti, djsagar, ravi.shankar, Rishabh...
longwave’s picture

longwave
he/him
Primary language English
Location UK
CreditAttribution: longwave at Full Fat Things commented
Status: Reviewed & tested by the community » Fixed

Paused to consider the backport here; while this is largely just a docs fix, we are also renaming a variable, and if someone is using named arguments this will break their code. But I think the chances of anyone actually using named arguments here is slim, and so I opted for the backport to keep the branches in sync and improve documentation for 10.1.x users.

Committed and pushed 8624038a9a to 11.x and 02c6babe8b to 10.1.x. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.