Bootstrap 7.x-3.8 breaks dpm() Krumo and string output

Please see the related issue https://www.drupal.org/node/2824575 in the Bootstrap issue queue

The latest release, 7.x-3.8 fixes Bootstrap - ModeratelyCritical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-058 https://www.drupal.org/node/2824413

It introduces a new function _bootstrap_filter_xss()

+ * Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.
+ *
+ * Very similar to core's filter_xss(). It does, however, include the addition
+ * of the "span", "div" and "i" elements which are commonly used in Bootstrap.

This filter removes <pre>, <style> and <script> tags which are used by dpm(), function provided by contrib module devel(https://www.drupal.org/project/devel)

This means that the Krumo output of arrays with dpm() no longer displays correctly, and the styling of string messages from dpm() is broken.

Comments

aminorking created an issue. See original summary.

markhalliwell’s picture

markhalliwell
Primary language English
CreditAttribution: markhalliwell at Tag1 Consulting commented
Category: Bug report » Support request
Priority: Minor » Normal
Status: Active » Closed (works as designed)
Issue tags: -krumo dpm bootstrap

This isn't a devel issue.

joseph.olstad’s picture

joseph.olstad
Primary language French
CreditAttribution: joseph.olstad commented

I have not found a solution to this issue. Appears to still be a problem.

joseph.olstad’s picture

joseph.olstad
Primary language French
CreditAttribution: joseph.olstad commented

***EDIT*** SEE THE PARENT ISSUE FOR THE AWESOME PATCH TO devel ***EDIT***

***EDIT*** THANKS to @mustanggb and @markcarver ***EDIT***
oh, found solution.

looks like this is a reasonable solution.

https://www.drupal.org/node/2824575#comment-11908224

markhalliwell’s picture

markhalliwell
Primary language English
CreditAttribution: markhalliwell at Tag1 Consulting commented

looks like this is a reasonable solution.

No, it's not. Read the comment below the comment you mentioned above (which I have now unpublished) https://www.drupal.org/node/2824575#comment-11908246.

joseph.olstad’s picture

joseph.olstad
Primary language French
CreditAttribution: joseph.olstad commented

actually, the forget comment #4 , the real solution is this patch to the devel module.

#2855666: Make Krumo compatible with XSS injection protection to drupal_set_message()

joseph.olstad’s picture

joseph.olstad
Primary language French
CreditAttribution: joseph.olstad commented
Parent issue: » #2855666: Make Krumo compatible with XSS injection protection to drupal_set_message()

see parent issue for the patch that works flawlessly.

joseph.olstad’s picture

joseph.olstad
Primary language French
CreditAttribution: joseph.olstad commented
Status: Closed (works as designed) » Closed (duplicate)
rmajed’s picture

rmajed CreditAttribution: rmajed commented

mytheme is a subteme of bootstrap.. I don't know how good is that approach but i simply override the bootstrap_status_messages function and replaced it with the core function in my theme

<?php

function subtheme_status_messages($variables){
  $display = $variables['display'];
  $output = '';

  $status_heading = array(
    'status' => t('Status message'),
    'error' => t('Error message'),
    'warning' => t('Warning message'),
  );
  foreach (drupal_get_messages($display) as $type => $messages) {
    $output .= "<div class=\"messages $type\">\n";
    if (!empty($status_heading[$type])) {
      $output .= '<h2 class="element-invisible">' . $status_heading[$type] . "</h2>\n";
    }
    if (count($messages) > 1) {
      $output .= " <ul>\n";
      foreach ($messages as $message) {
        $output .= '  <li>' . $message . "</li>\n";
      }
      $output .= " </ul>\n";
    }
    else {
      $output .= reset($messages);
    }
    $output .= "</div>\n";
  }
  return $output;
}

?>
CProfessionals’s picture

CProfessionals CreditAttribution: CProfessionals commented

#9 worked perfectly... been wrestling with trying to develop with the messed up display for a while. Thanks for posting rmajed

Additionally:

change "subtheme" to the machine name of your active theme. You can get this by going to the settings page of your subtheme, and look at the url. i.e. /admin/appearance/settings/[theme machinename]. The first line will be:
function [theme machinename]_status_messages($variables)

szt’s picture

szt CreditAttribution: szt commented

Unfortunately #6 is not a real solution, but #9 works.

joseph.olstad’s picture

joseph.olstad
Primary language French
CreditAttribution: joseph.olstad commented

@szt , #6 is the correct solution. There was a security issue in bootstrap that was resolved , unfortunately the solution meant that the current devel module will not work with bootstrap. The solution is to replace the devel module with the latest dev release of devel and then to patch the devel module with this patch.

This is why this issue is closed as a duplicate.

Please do not recommend a hacker solution to others. The correct solution is to patch the devel module and it would be best if the maintainer of the devel module gets busy and publishes a new release of devel with the solution.

giorgio79’s picture

giorgio79 CreditAttribution: giorgio79 commented

I had this issue too. The easiest way out is in Devel settings at /admin/config/development/devel

set "Krumo backtrace above the rendered page"

and voilá, no more dependency on themes.

joseph.olstad’s picture

joseph.olstad
Primary language French
CreditAttribution: joseph.olstad commented

Ré: #13 Nice workaround

Bram Esposito’s picture

Bram Esposito CreditAttribution: Bram Esposito commented

#9 works for me
#13 does not on drupal commerce carts

ikeigenwijs’s picture

ikeigenwijs CreditAttribution: ikeigenwijs commented

#6 worked
#13 did not