Problem/Motivation

On a site with a node with ID 1, the following code returns the same:

\Drupal\node\Entity\Node::loadMultiple(['1']);
\Drupal\node\Entity\Node::loadMultiple(['01']);
\Drupal\node\Entity\Node::loadMultiple([' 1']);
\Drupal\node\Entity\Node::loadMultiple([' 01']);

In case of use the Node::load() method instead, it returns the node entity only when 1 or '1' is used as entity ID, getting NULL in the rest of the cases ('01', ' 1', ' 01') as expected.

It actually happens with any content entity type. As far I can see, the root cause is located at ContentEntityStorageBase::cleanIds(), that alters numeric entity IDs processing them by intval().

Entity URLs affected

From Drupal 8.7, due to the changes introduced at #2942907: Entity system does not provide an API for retrieving an entity variant that is safe for editing, URLs with numeric entity IDs are affected by this. For example, /node/1 and /node/01 returns the same page. As concluded in the related issue #2674618-35: System behave differently on URL "node/00001" and "node/1", /node/1 and /node/01 (001, 0001, and so on) are different URLs and must have different response.

This may affect several aspects. It could be considered a vulnerability from the SEO point of view, since /node/1 and /node/01 would be seen as duplicated content by Google which penalizes it.

It also could have many other side-effects. For instance, custom access callbacks receives arguments as string and could end in errors when an ID with leading zeros are received. It happens with the contact core module. In a fresh D9.2 installation with the standard profile, the URL /user/01 ends in call to a member function on null exception.

Steps to reproduce

In a fresh D9.2 installation with the standard profile, create an article at /node/add/article with arbitrary content. It should be at /node/1. The new node can also be accessed at /node/01 or edited at /node/001/edit

Logged as the user 1, at /user/01 should end in 404 but Drupal tries to render the user canonical page, ending in a crash related with the Contact module from core.

Proposed resolution

Since entity IDs are strings, '1' is not equal to '01' or ' 1' or ' 01'. Any EntityStorageInterface::loadMultiple() implementation must be aware of that.

Remaining tasks

Review, test.

User interface changes

N/A

API changes

None.

Data model changes

None.

Release notes snippet

TBD.

CommentFileSizeAuthor
#26 Screenshot 2025-12-09 at 11.56.11 AM.png48.82 KBsamitk
#15 interdiff_3191566_14-15.txt1.37 KBandregp
#15 3191566_15.patch2.72 KBandregp
#15 3191566_15-tests-only.patch1.25 KBandregp
#14 3191566_14.patch2.86 KBandregp
#14 3191566_14-test-only.patch1.39 KBandregp
#10 interdiff_4_10.txt725 bytesjoshua1234511
#10 3191566_10.patch1.47 KBjoshua1234511
#4 drupal-load_multiple_leading_entity_id_with_zeros_spaces-3191566-4.patch1.5 KBmanuel.adan
#2 drupal-load_multiple_leading_entity_id_with_zeros_spaces-3191566-2.patch1.48 KBmanuel.adan

Issue fork drupal-3191566

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

manuel.adan created an issue. See original summary.

manuel.adan’s picture

manuel.adan
Location 🌌
commented
Assigned: manuel.adan » Unassigned
Status: Active » Needs review
StatusFileSize
new drupal-load_multiple_leading_entity_id_with_zeros_spaces-3191566-2.patch1.48 KB

Initial fix that illustrates the issue causes and try it against tests.

manuel.adan’s picture

manuel.adan
Location 🌌
commented
Related issues: +#2674618: System behave differently on URL "node/00001" and "node/1"
manuel.adan’s picture

manuel.adan
Location 🌌
commented
StatusFileSize
new drupal-load_multiple_leading_entity_id_with_zeros_spaces-3191566-4.patch1.5 KB

Right patch generation.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Priority: Normal » Minor
Issue tags: +Bug Smash Initiative
kristen pol’s picture

kristen pol
she/her
Primary language English
Location Santa Cruz, CA, USA
commented 
+++ b/core/lib/Drupal/Core/Entity/Sql/SqlContentEntityStorage.php
@@ -411,17 +411,20 @@ class SqlContentEntityStorage extends ContentEntityStorageBase implements SqlEnt
+    // Sanitize IDs. Before feeding ID array into buildQuery, check whether
+    // it is empty as this would load all entities.

Nitpick: 80 character wrapping not quite right.

kristen pol’s picture

kristen pol
she/her
Primary language English
Location Santa Cruz, CA, USA
commented
Issue tags: +Needs manual testing

Forgot to tag for testing.

joshua1234511’s picture

joshua1234511
Primary language English
Location Goa
commented
Issue tags: -Needs manual testing
StatusFileSize
new 3191566_10.patch1.47 KB
new interdiff_4_10.txt725 bytes

Reviewed the patch from #4
Manual tested the patch on 9.4 on standard profile.
Steps followed from Issue summary
The new node can also be
- accessed at /node/01 and edited at /node/01/edit
- accessed at /node/001 and edited at /node/001/edit

Rerolled the path with Nitpick from #8

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

sonnykt’s picture

sonnykt
Location Melbourne, Australia
commented
Status: Needs review » Reviewed & tested by the community

Confirming patch #10 works with 9.4.x (standard profile) and an existing 9.3.14 site:

Before applying the patch:
* Both /node/1/edit and /node/01/edit return the same node edit form for node #1.
* Both /node/1 and /node/01 return the same page for node #1.
* Both /user/1/edit and /user/01/edit return the same edit form for user #1.

After applying the patch:
* /node/1/edit and /user/1/edit work as usual.
* /node/01/edit and /user/01/edit now return error 404.
* /node/01 now returns error 404.

drush php with the patch:

Psy Shell v0.10.9 (PHP 8.0.17 — cli) by Justin Hileman
(Drupal 9.3.14)
>>> \Drupal\node\Entity\Node::loadMultiple(['1']);
=> [
     1 => Drupal\node\Entity\Node {#7216
       +in_preview: null,
     },
   ]
>>> \Drupal\node\Entity\Node::loadMultiple(['01']);
=> []
>>> \Drupal\node\Entity\Node::loadMultiple([' 1']);
=> []
>>> \Drupal\node\Entity\Node::loadMultiple([' 01']);
=> []
>>> \Drupal\node\Entity\Node::loadMultiple([1]);
=> [
     1 => Drupal\node\Entity\Node {#7216
       +in_preview: null,
     },
   ]
>>>
catch’s picture

catch
he/him
Primary language English
commented
Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs tests

This could use some test coverage.

andregp’s picture

andregp commented
Status: Needs work » Needs review
StatusFileSize
new 3191566_14-test-only.patch1.39 KB
new 3191566_14.patch2.86 KB

Sending a test-only patch which is expected to fail and the total patch.
I'm not sending an interdiff this time because I didn't change anything on SqlContentEntityStorage.php so the test-only patch is the inderdiff.

Edit: I'm not sure if this test is good enough as it doesn't cover cases like ' 01' or ' 1'.

andregp’s picture

andregp commented
StatusFileSize
new 3191566_15-tests-only.patch1.25 KB
new 3191566_15.patch2.72 KB
new interdiff_3191566_14-15.txt1.37 KB

I believe I've came up with a better test.
This time I assert using the loadMultiple() itself and I included the cases with space in the id.
Again sending a test only patch, which should fail and the complete patch.

The last submitted patch, 14: 3191566_14-test-only.patch, failed testing. View results

The last submitted patch, 15: 3191566_15-tests-only.patch, failed testing. View results

kristen pol’s picture

kristen pol
she/her
Primary language English
Location Santa Cruz, CA, USA
commented
Issue tags: -Needs tests

Thanks! Removing tests tag.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community
Issue tags: +Needs Review Queue Initiative

Verified this on Drupal 10.1

Went to a URL node/0009 and it loaded the node/9 page
Applied patch
And now I get a page not found

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Status: Reviewed & tested by the community » Needs work 
+++ b/core/modules/node/tests/src/Functional/NodeCreationTest.php
@@ -117,6 +117,28 @@ public function testNodeCreation() {
+    $this->drupalGet('node/add');
+    $this->assertSession()->statusCodeEquals(200);
+    $this->assertSession()->addressEquals('node/add/page');
+    // Create a node.
+    $edit = [];
+    $edit['title[0][value]'] = $this->randomMachineName(8);
+    $this->drupalGet('node/add/page');
+    $this->submitForm($edit, 'Save');

This doesn't need to be a functional test, we should create the node via the Node::create API and move it to a Kernel test

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

ressa’s picture

ressa
he/him
commented

Thanks for working on fixing this, which I discovered by chance a few months ago. It looks like the theme engine can be bypassed with this method.

Will it be back-ported to Drupal 7, which is also affected?

luke.stewart’s picture

luke.stewart commented
Issue tags: +Needs tests

samit.310@gmail.com made their first commit to this issue’s fork.

samitk’s picture

samitk commented
Status: Needs work » Postponed (maintainer needs more info)
StatusFileSize
new Screenshot 2025-12-09 at 11.56.11 AM.png48.82 KB

Not reproducible in 11.x branch. Running the following code produces the expected output shown in the attached screenshot.

dsm(\Drupal\node\Entity\Node::loadMultiple([' 1']));
dsm(\Drupal\node\Entity\Node::loadMultiple(['1']));
dsm(\Drupal\node\Entity\Node::loadMultiple(['01']));
dsm(\Drupal\node\Entity\Node::loadMultiple([' 1']));
dsm(\Drupal\node\Entity\Node::loadMultiple([' 01']));

Output

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.

smustgrave’s picture

smustgrave commented
Status: Postponed (maintainer needs more info) » Needs work
Issue tags: +Needs issue summary update

May be good to least have test coverage around this