dpm() output styling and Krumo functionality is broken following 7.x-3.8 release
The latest release, 7.x-3.8 fixes Bootstrap - ModeratelyCritical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-058 https://www.drupal.org/node/2824413
It introduces a new function _bootstrap_filter_xss()
+ * Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities. + * + * Very similar to core's filter_xss(). It does, however, include the addition + * of the "span", "div" and "i" elements which are commonly used in Bootstrap.
This filter removes
<script> tags which are used by dpm(), function provided by contrib module devel(https://www.drupal.org/project/devel)
This means that the Krumo output of arrays with dpm() no longer displays correctly, and the styling of string messages from dpm() is broken.
- The addition of the above tags to the allowed_tags array in _bootstrap_filter_xss() resolves this issue, but is likely to be unsatisfactory.
$allowed_tags = array( ... // dpm() message elements 'style', 'script', 'pre' );
- Alternatively, the new filter could be removed from bootstrap_status_messages(). This would be reverting the change of the 7.x-3.8 release
- Finally, an additional, less restrictive filter could be implemented for the printing of messages. This would be an alteration to the change in the 7.x-3.8 release
I have not produced a patch as the first two suggestion would be altering the security update release and I believe the third suggestion requires some discussion.