If you visit a D8 site as an authenticated user and add a query string parameter which includes a quotation mark, then a JavaScript error will be thrown.
E.g. go to /search?keywords=it's
Error:
Uncaught DOMException: Failed to execute 'querySelectorAll' on 'Document': '[data-drupal-link-system-path="search"]:not([hreflang])[data-drupal-link-query='{"keywords":"it's"}'],[data-drupal-link-system-path="search"][hreflang="en"][data-drupal-link-query='{"keywords":"it's"}']' is not a valid selector.
This does not effect anonymous users as the core/drupal.active-link
library is only attached if the current user is authenticated.
Comment | File | Size | Author |
---|---|---|---|
#40 | 2902769-40.patch | 664 bytes | Keshav Patel |
#39 | active_link_js_throws-2902769-39.patch | 580 bytes | DYdave |
#35 | 2902769-nr-bot.txt | 107 bytes | needs-review-queue-bot |
#34 | active_link_js_throws-2902769-34.patch | 1.32 KB | agarzola |
#33 | active_link_js_throws-2902769-33.patch | 668 bytes | agarzola |
|
Issue fork drupal-2902769
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
keeganstreet CreditAttribution: keeganstreet at Deloitte Digital commentedThis patch escapes single quote characters before passing the string on to be used as input for querySelectorAll.
Comment #3
keeganstreet CreditAttribution: keeganstreet at Deloitte Digital commentedPatch for 8.4.x with ES6.
Comment #4
keeganstreet CreditAttribution: keeganstreet at Deloitte Digital commentedPrevious patch throws error if
drupalSettings.path.currentQuery
is undefined. This is a new patch for 8.3.x.Comment #5
keeganstreet CreditAttribution: keeganstreet at Deloitte Digital commentedPrevious 8.4.x patch throws error if
drupalSettings.path.currentQuery
is undefined. This is a new patch for 8.4.x.Comment #6
cilefen CreditAttribution: cilefen as a volunteer commentedHi: we do not expect any more 8.3.x commits except possibly of critical issues.
Comment #8
keeganstreet CreditAttribution: keeganstreet at Deloitte Digital commentedComment #9
keeganstreet CreditAttribution: keeganstreet at Deloitte Digital commentedThat's fine @cilefen,
active_link_js_throws-2902769-5.patch
applies on 8.4.x and 8.5.x.Comment #10
keeganstreet CreditAttribution: keeganstreet at Deloitte Digital commentedComment #11
cilefen CreditAttribution: cilefen as a volunteer commentedComment #12
droplet CreditAttribution: droplet commentedThis is a quick fix to mute the error report but will not match the correct query string
The active link contains a bug. Any query string contains `'` or `\` [..more] doesn't match already..
Also,
node?a=1&b=2
node?b=2&a=1
the ordering affected the matching also. However, `node?a=1&b=2` and `node?b=2&a=1` is the same URL in W3C spec, right? (Drupal will give the same result I think)
Also, the [data-drupal-link-query] printed from PHP, we should keep the escape same way. It should not JSON IMO.
Comment #13
Wim LeersThis definitely needs JS test coverage.
And we need to keep it in sync with the PHP logic.
Comment #16
ivrh CreditAttribution: ivrh commentedThe patch stopped applying for 8.6.2, so I am re-rolling it against 8.6.x branch
Comment #19
amanire CreditAttribution: amanire as a volunteer and commentedRecognizing the concerns expressed in #12 and #13, but as an interim measure to workaround the errors, this is a reroll of #16 to apply against 8.8.2.
Comment #20
amanire CreditAttribution: amanire as a volunteer and commentedThat last reroll in #19 accidentally removed an extra line on
active-link.js
. Don't use it. Use this one instead.Comment #21
amanire CreditAttribution: amanire as a volunteer and commentedComment #22
amanire CreditAttribution: amanire at Environmental Defense Fund commentedUgh I think #20 has bad line endings. Again, recognizing the concerns expressed in #12 and #13, but as an interim measure to workaround the errors, this is a reroll of #16 to apply against 8.8.2.
Comment #26
dmitri.daranuta CreditAttribution: dmitri.daranuta at FFW commentedComment #27
Suresh Prabhu Parkala CreditAttribution: Suresh Prabhu Parkala at Specbee commentedTried to fix custom command failures. Please review.
Comment #29
agarzola CreditAttribution: agarzola at Chromatic commentedI can confirm that the patch in #27 suppresses the error in 9.1.x. I’m attaching a re-rolled patch against 9.4.x with (I believe) the necessary changes to pass tests.
Comment #32
needs-review-queue-bot CreditAttribution: needs-review-queue-bot as a volunteer commentedThe Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.
Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.
Comment #33
agarzola CreditAttribution: agarzola at Chromatic commentedRe-rolled against the 10.1.x branch.
Comment #34
agarzola CreditAttribution: agarzola at Chromatic commentedSomething caused the previous 9.x patch not to pass tests in 9.5. Tooling in 9.5 causes the non-ES6 version of the file to _not_ get blank lines around the conditional.
This new patch should apply cleanly to 9.5.x.
Comment #35
needs-review-queue-bot CreditAttribution: needs-review-queue-bot as a volunteer commentedThe Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".
Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.
Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.
Comment #36
nod_Branch issue
Comment #37
smustgrave CreditAttribution: smustgrave at Mobomo commentedThis issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request as a guide.
As a bug this could use a test case.
Also issue summary should be updated with proposed fix.
Comment #39
DYdave CreditAttribution: DYdave at Code Enigma commentedRerolled #34 for 10.2.x.
File
/core/misc/active-link.es6.js
doesn't seem to exist anymore, so it was removed from the patch.Please let us know if it moved somewhere and should still be included in the patch.
Thanks in advance !
Comment #40
Keshav Patel CreditAttribution: Keshav Patel at OpenSense Labs for DrupalFit commentedChanged 'const' to 'let', Please Review.
Comment #41
needs-review-queue-bot CreditAttribution: needs-review-queue-bot as a volunteer commentedThe Needs Review Queue Bot tested this issue.
While you are making the above changes, we recommend that you convert this patch to a merge request. Merge requests are preferred over patches. Be sure to hide the old patch files as well. (Converting an issue to a merge request without other contributions to the issue will not receive credit.)