Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Since this is just an addition to drupal_set_message()
, devel can be preemptive before the following lands in core: #2408955: drupal_set_message should filter output by default.
Comment | File | Size | Author |
---|---|---|---|
#3 | add_pass_through-2831622-3.patch | 1.39 KB | markhalliwell |
|
Comments
Comment #2
markhalliwellComment #3
markhalliwellForgot to add some commenting to explain why this is needed.
Also, it should be noted that this isn't an issue in 8.x because Twig auto-escapes.
Comment #4
jvogt CreditAttribution: jvogt commentedShould this patch address the issue we're experiencing with Devel + Bootstrap 3.8+? I ran the patch (add_pass_through-2831622-3.patch), but the dpm() output is still broken.
I also tested it manually like so:
No luck there either. Is there something I need to do to make PASS_THROUGH function?
Stats:
* Core 7.52
* Devel 7.x-1.5
* Bootstrap 7.x-3.10
Thanks in advance for any advice!
Comment #5
markhalliwellThis issue is preemptive in the sense that it can technically be committed without currently breaking anything.
However, this patch will technically only work if core is patched as well: #2408955: drupal_set_message should filter output by default.
Comment #6
jvogt CreditAttribution: jvogt commentedI see. Thanks, I'll give that a try.
Comment #7
MustangGB CreditAttribution: MustangGB commentedHere is an alternative to allow the XSS filter to remain, and instead fix Krumo #2855666: Make Krumo compatible with XSS injection protection to drupal_set_message().
Comment #8
MustangGB CreditAttribution: MustangGB commentedThere is no indication that #2408955: drupal_set_message should filter output by default will be accepted into core, so postponing for the time being.
Comment #9
MustangGB CreditAttribution: MustangGB commentedResolved by #2855666: Make Krumo compatible with XSS injection protection to drupal_set_message().