Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Follow-up from #856588: drupal_attributes should check_plain attribute names, not just values. We should add to the PHPDoc of drupal_attributes() information about security. Specifically, that values are check_plain()'d, so the caller doesn't need to, and that names are not check_plain()'d, and the caller shouldn't assume that calling check_plain() on an attribute name makes it secure: instead callers should only supply whitelisted attribute names. Some examples to make this clear would be nice.
Comment | File | Size | Author |
---|---|---|---|
#9 | drupal-attributes-4.patch | 2.34 KB | mr.baileys |
#7 | drupal-attributes-3.patch | 2.35 KB | mr.baileys |
#5 | drupal-attributes-2.patch | 2.3 KB | mr.baileys |
#3 | drupal-attributes.patch | 2.42 KB | mr.baileys |
Comments
Comment #1
effulgentsia CreditAttribution: effulgentsia commented.
Comment #2
jhodgdonThis looks like a documentation-only issue, moving to that queue and removing tag.
Comment #3
mr.baileysHere's a first stab at this. I updated the rest of the Doxygen block too: third person for the intro sentence, removed the references to HTML as drupal_attributes can be used in some other contexts (like XML).
Comment #4
jhodgdonGood first stab. A few minor things:
a)
(e.g. a multi-value class attribute).
==>
(i.e., a multi-value class attribute).
b)
I think this code comment needs to mention whitelisting (as mentioned in the paragraph above). Maybe add something like:
Probably the 'onmouseout' attribute should not be whitelisted -- you don't want users to have the ability to add this attribute or others that take JavaScript commands.
c) Needs a blank line between @param and @return sections.
d) Don't include the E_ALL hunk of index.php in the patch. :)
Comment #5
mr.baileysThanks, taken care of all your comments. Also tried to make the first sentence better explain what the function is doing.
Comment #6
jhodgdonMuch better!
a) First line:
+ * Converts an associative array to an attribute string for use in tags.
Should we say HTML tags, or perhaps XML tags, or perhaps XML/HTML tags, instead of just tags?
Willing to live with this as it is, especially if that would push it over the 80 character limit.
b) There needs to be a comma after i.e. -- and I guess I was wrong above, it should really be e.g., because it is an example and not a "that is". Even better, change
(i.e. a multi-value class attribute)
==>
(for example, a class attribute with multiple class values)
I had to read that three or four times as it was to even figure out what it meant, even though I had read it just a day or two ago.
Comment #7
mr.baileysThanks, updated patch attached.
The first line now reads "Converts an associative array to an attribute string for use in XML/HTML tags." which goes over the 80-char limit by 1 character, but if I'm not mistaken the first-line of a doxygen is allowed to go slightly over the limit, right?
I've also added drupal_attributes to the "sanitization" group as it sanitizes the values.
Comment #8
jhodgdonHow about just removing the "use in" so it reads:
Converts an associative array to an attribute string for XML/HTML tags.
That will come in under 80 characters, and we really do discourage going over 80.
Other than that, I am for RTBC on this one.
Comment #9
mr.baileysThanks for the tip, that does sound better than the current form.
Comment #10
jhodgdonLooks good to me! Thanks mr.baileys!!
Comment #11
Dries CreditAttribution: Dries commentedCommitted to CVS HEAD. Thanks.