Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
#2804587: Create mail display mock-ups suggests a mockup for the Inmail element body.
Proposed resolution
We should identify body content (in preprocessing phase) for plain and MIME messages in order to use it in Twig.
Update Twig template correspondingly.
Remaining tasks
User interface changes
API changes
Data model changes
Comment | File | Size | Author |
---|---|---|---|
#16 | identify_message_body-2820989-16-interdiff.txt | 920 bytes | mbovan |
#16 | identify_message_body-2820989-16.patch | 6.17 KB | mbovan |
| |||
#14 | identify_message_body-2820989-14.patch | 6.28 KB | mbovan |
| |||
#12 | identify_message_body-2820989-12-interdiff.txt | 3.27 KB | mbovan |
#12 | identify_message_body-2820989-12.patch | 6.71 KB | mbovan |
|
Comments
Comment #2
mbovan CreditAttribution: mbovan at MD Systems GmbH commentedIssue summary update.
Comment #3
mbovan CreditAttribution: mbovan at MD Systems GmbH commentedProviding a patch. Added
<main>
tag (to wrap message body?) and applied some touched parts by following #2820004 #15).Content / Plain text part:
HTML:
Comment #4
miro_dietikerThat looks very nice and i would love to add some improved Body output.
But we need to properly address the problems here...
We need to apply XSS protection here!
Let's add a test that adds some XSS
<script>
tag and make sure it's not output in the HTML.Follow-Up: We need to discuss if we should allow opening the mail as break-out without filtering. But as this is delivered through the same domain, it contains risks of API / abuse through JS... Needs an issue to discuss... At least it could likely be that the mail is not properly displayed inside our theme and we need to check what we can do.
Comment #5
miro_dietikerAh and... just removing script tags won't help, since an onclick or onXYZ handler can contain any inline script.
So let's put caring about raw / extended HTML into a follow-up and properly output XSS filtered HTML with this issue. Always.
Comment #6
mbovan CreditAttribution: mbovan at MD Systems GmbH commentedAdding XSS protection by filtering tags and allowing admin tags only.
Here is how it looks with filtered tags (admin tags allowed):
Edit:
About
+ <div class="inmail-message--body__content">{{ body.content|raw|nl2br }}</div>
In the plain text, all tags are already stripped.
Comment #7
mbovan CreditAttribution: mbovan at MD Systems GmbH commentedCreated a follow-up to discuss possibilities to improve HTML mail output.
Comment #8
Berdir|raw is generally discouraged and should be avoided, instead, the object should be marked as safe
But why is the raw even necessary when it is plain text? Is there double escaping without it? You could also mark the checkefd string as save by making it a Markup object with Markup::create()
Another possibility would be to do it like \Drupal\Core\Field\Plugin\Field\FieldFormatter\StringFormatter::viewValue, to get the "technical" part out of the real twig template. Not sure if that really makes sense here.
Comment #9
miro_dietikerComment #10
mbovan CreditAttribution: mbovan at MD Systems GmbH commentedExactly. For instance,
>
is displayed as>
.Switched to
Markup::create()
in this patch.Comment #11
miro_dietikerThe message itself should not filter. This is a MIME Entity that should return unchanged raw data.
Filtering is a matter of preprocessing and presentation.
This doesn't help as a blackbox method.
Also blindly chaining the HTML parts seems strange. We should pick the first one for the mail body display.
For semantic indexing, this method extracting all HTML could make sense, but then it should be designed for advanced multipart conversion, supporting file conversion such as PDF text extraction and should be multipart aware.. For the basics we have getPlainText().
If you look at the mockup, you will see that the message element needs to keep track about what parts have been used for body / html and attachments, because all unused parts are listed as unknown.
Comment #12
mbovan CreditAttribution: mbovan at MD Systems GmbH commentedRe #11.1: Yeah, makes sense.
Comment #13
miro_dietikerhtml is as much content as plain text. I think we should rename it.
Wanted to commit to allow quick progress also in theming body / establishing the tabs, but it contains lots of conflicts with the recent changes.
Comment #14
mbovan CreditAttribution: mbovan at MD Systems GmbH commentedReplaced (body) "content" with "plain" (text) and rerolled.
Comment #15
johnchqueI think we might want to use: inmail-message__body__html :)
Not sure if here the closing div should go in the next line maybe (?)
Comment #16
mbovan CreditAttribution: mbovan at MD Systems GmbH commented#15.1: Yeah, I added element part as well.
#15.2: Oh, don't know why I changed this at all.
Comment #17
johnchque#15.1 I was talking about the underscore before body. Now looks niiice.
Comment #19
miro_dietikerCommitted. Time to move forward! :-)