Bootstrap 7.x-3.8 breaks dpm() Krumo and string output
Please see the related issue https://www.drupal.org/node/2824575 in the Bootstrap issue queue
The latest release, 7.x-3.8 fixes Bootstrap - ModeratelyCritical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-058 https://www.drupal.org/node/2824413
It introduces a new function _bootstrap_filter_xss()
+ * Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities. + * + * Very similar to core's filter_xss(). It does, however, include the addition + * of the "span", "div" and "i" elements which are commonly used in Bootstrap.
This filter removes
<pre>
,<style>
and<script>
tags which are used by dpm(), function provided by contrib module devel(https://www.drupal.org/project/devel)This means that the Krumo output of arrays with dpm() no longer displays correctly, and the styling of string messages from dpm() is broken.
Comments
Comment #2
markhalliwellThis isn't a devel issue.
Comment #3
joseph.olstadI have not found a solution to this issue. Appears to still be a problem.
Comment #4
joseph.olstad***EDIT*** SEE THE PARENT ISSUE FOR THE AWESOME PATCH TO devel ***EDIT***
***EDIT*** THANKS to @mustanggb and @markcarver ***EDIT***
oh, found solution.looks like this is a reasonable solution.https://www.drupal.org/node/2824575#comment-11908224Comment #5
markhalliwellNo, it's not. Read the comment below the comment you mentioned above (which I have now unpublished) https://www.drupal.org/node/2824575#comment-11908246.
Comment #6
joseph.olstadactually, the forget comment #4 , the real solution is this patch to the devel module.
#2855666: Make Krumo compatible with XSS injection protection to drupal_set_message()
Comment #7
joseph.olstadsee parent issue for the patch that works flawlessly.
Comment #8
joseph.olstadComment #9
rmajed CreditAttribution: rmajed commentedmytheme is a subteme of bootstrap.. I don't know how good is that approach but i simply override the bootstrap_status_messages function and replaced it with the core function in my theme
Comment #10
CProfessionals CreditAttribution: CProfessionals commented#9 worked perfectly... been wrestling with trying to develop with the messed up display for a while. Thanks for posting rmajed
Additionally:
change "subtheme" to the machine name of your active theme. You can get this by going to the settings page of your subtheme, and look at the url. i.e. /admin/appearance/settings/[theme machinename]. The first line will be:
function [theme machinename]_status_messages($variables)
Comment #11
szt CreditAttribution: szt commentedUnfortunately #6 is not a real solution, but #9 works.
Comment #12
joseph.olstad@szt , #6 is the correct solution. There was a security issue in bootstrap that was resolved , unfortunately the solution meant that the current devel module will not work with bootstrap. The solution is to replace the devel module with the latest dev release of devel and then to patch the devel module with this patch.
This is why this issue is closed as a duplicate.
Please do not recommend a hacker solution to others. The correct solution is to patch the devel module and it would be best if the maintainer of the devel module gets busy and publishes a new release of devel with the solution.
Comment #13
giorgio79 CreditAttribution: giorgio79 commentedI had this issue too. The easiest way out is in Devel settings at /admin/config/development/devel
set "Krumo backtrace above the rendered page"
and voilá, no more dependency on themes.
Comment #14
joseph.olstadRé: #13 Nice workaround
Comment #15
Bram Esposito CreditAttribution: Bram Esposito commented#9 works for me
#13 does not on drupal commerce carts
Comment #16
ikeigenwijs CreditAttribution: ikeigenwijs commented#6 worked
#13 did not