Problem/Motivation

Currently, asset injector summaries are decoded, however this results in unnecessarily escaped HTML.

e.g. if the summary returns:

$this->t('Condition filter values: %theme.', [
  '%theme' => $this->configFactory->get('system.theme')->get('default'),
]);

Steps to reproduce

Use a condition which returns a summary containing Drupal placeholders.

Proposed resolution

Don't escape as the underlying module providing the summary should've already handled all the necessary sanitization.

We could also potentially wrap it in something along the lines of this (but shouldn't be necessary since it's not user generated content):

Markup::create(Xss::filterAdmin($summary->render()));

Remaining tasks

Provide issue fork/patches.

User interface changes

N/A

CommentFileSizeAuthor
#3 3348521-asset_injector-dont-decode-summary-3.diff1010 bytescodebymikey

Issue fork asset_injector-3348521

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

codebymikey created an issue. See original summary.

codebymikey opened merge request !9

codebymikey’s picture

codebymikey commented
Issue summary: View changes
Status: Active » Needs review
StatusFileSize
new 3348521-asset_injector-dont-decode-summary-3.diff1010 bytes

Added issue fork, the current approach also allows it to work if the third party module happens to return a simple string rather than markup.

Since it's passed through the Drupal renderer anyway, the raw HTML entities will escaped anyway if they haven't been passed in as trusted "Markup".

Anybody made their first commit to this issue’s fork.

anybody’s picture

anybody
Primary language German
Location Porta Westfalica
commented

The module's implementation changed in the meantime:
$data['conditions'][$condition_id] = is_string($summary) ? Html::decodeEntities($summary) : Html::decodeEntities($summary->render());

Could the maintainer eventually explain why Html::decodeEntities() is used here at all?

I also can't really see a benefit, theoretically it's even more a risk:

Be careful when using this function, as it will revert previous sanitization efforts (<script> will become

).
https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Component%21Utility%21Html.php/function/Html%3A%3AdecodeEntities/8.9.x So I think it should be removed for good reasons, if it's not needed.
pookmish’s picture

pookmish commented

There was a reason when the code was first written. I think it was something to do with the summary provided by one of the condition plugins not being compatible.

Looking at the git blame brings up this issue: #3385148: Calling ->render()on string throws errors.

But now looking at it, that is an issue with the condition_path module, not this module. However, it's doesn't appear to need to be decoded and leaving the summary un-rendered works fine.

So this seems appropriate to me.

  • pookmish committed 454238c8 on 8.x-2.x 
    [#3348521] fix: Summaries should not be decoded with Html::...
pookmish’s picture

pookmish commented
Status: Needs review » Fixed

Now that this issue is closed, please review the contribution record.

As a contributor, attribute any organization helped you, or if you volunteered your own time.

Maintainers, please credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

codebymikey closed merge request !9