Problem/Motivation

The html is provided as part of the API resonse in json format, but the markup serialization seems to ditch it.
Attributes with html markup get html stripped

Proposed resolution

Before setting the value of the attribute, check if value is instance of MarkupInterface and convert to PHP string.

Issue fork custom_elements-3324583

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

petar_basic created an issue. See original summary.

petar_basic opened merge request !19

petar_basic’s picture

petar_basic commented
Status: Needs work » Needs review
useernamee’s picture

useernamee commented
Status: Needs review » Reviewed & tested by the community

code looks good and tests that also check this are passing.

mostepaniukvm’s picture

mostepaniukvm
he/him
commented
Status: Reviewed & tested by the community » Needs review

I was very close to merge PR but start doubting if it is absolutely safe and if there is no scenario in which it can turn out as a potential security vulnerability.
not sure if we can afford to run Xss::filter() on a result string? Or we require to keep HTML unchanged?

fago’s picture

fago
Primary language German
Location Vienna
commented
Status: Needs review » Reviewed & tested by the community

there is no need to, twig runs auto-escaping on attribute values. this is good and the right place since we don'T want the escaping run when the value is put into the json serialzation of the output. so I think this is good to go

  • 7fb11d6 committed on 8.x-2.x 
    Issue #3324583 by petar_basic, useernamee, mostepaniukvm, fago:...
mostepaniukvm’s picture

mostepaniukvm
he/him
commented
Assigned: petar_basic » Unassigned
Status: Reviewed & tested by the community » Fixed

Thanks for the confirmation and explanation, merged and will tag new release soon

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.