Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
The FilterCaption
plugin currently hard-codes which tags are allowed in image captions:
$html_filter = $this->filterManager->createInstance('filter_html', [
'settings' => [
'allowed_html' => '<a href hreflang target rel> <em> <strong> <cite> <code> <br>',
'filter_html_help' => FALSE,
'filter_html_nofollow' => FALSE,
],
]);
There are many other inline HTML tags that one might want to use in image captions, so this should probably be configurable.
Proposed resolution
Make these tags configurable.
Remaining tasks
- Allow attribute whitelisting.
User interface changes
Would add configuration for the image caption filter.
Data model changes
Adds configuration options.
Comment | File | Size | Author |
---|---|---|---|
#82 | 2508421_ckeditor5_caption_frontend.png | 288.35 KB | DuaelFr |
#82 | 2508421_ckeditor5_caption_backend.png | 169.6 KB | DuaelFr |
#79 | 2508421-nr-bot.txt | 144 bytes | needs-review-queue-bot |
#74 | 2508421-74.patch | 22.68 KB | andregp |
#74 | interdiff_2508421_73-74.txt | 338 bytes | andregp |
Comments
Comment #1
jhedstromThis makes these tags configurable, but CKEditor isn't aware of the change since this isn't an html restrictor type, not sure how to proceed there.
Comment #2
jhedstromComment #3
jhedstromComment #4
jhedstromThis adds a test.
Comment #5
jhedstromTagging WYSIWYG for now. Tempted to tag drupalwtf since we allow the 'code' tag but not other inline elements.
Comment #7
jhedstromReroll of #5 which no longer cleanly applied.
Comment #10
jhedstromRe-roll.
Comment #11
jhedstromRe-roll since SafeMarkup was removed.
Comment #13
jhedstromTest needed updating to account for #2509700: Add role="group" to <figure> to meet WCAG requirements.
Comment #14
Wim LeersI'm sorry, but this was a conscious choice back then to KISS, to have sane defaults. Having the ability to configure this is a nice-to-have, a pure addition, that we can do in 8.1.
Comment #15
Wim LeersTo be clear: +1 to this, and I'm very grateful that you're working on this! :) But right now, we need to focus on getting RC1 out.
Comment #23
jhedstromRe-roll. Temporarily back to 8.0.x to check tests (would be great if 8.1.x were up to date).
Comment #24
jhedstromTests not queued, trying again.
Comment #26
jhedstromBack to 8.1. That fail looks unrelated, but perhaps not.
Comment #28
jhedstromComment #30
jhedstromThis fixes the config installer test.
Comment #31
Wim LeersLooks like another patch is included with that one :)
Shouldn't the setting be called something like "allowed_caption_html"?
And shouldn't it also allow for attribute whitelisting, just like the HTML filter?
Comment #32
jhedstromOops, here's a proper patch. There was some confusion in my local setup regarding the 8.1.x branch.
Possibly...but in the context of the filter caption plugin, is that overly verbose?
Definitely. I've updated the IS.
Comment #34
esod CreditAttribution: esod at Memorial Sloan Kettering Cancer Center commentedRerolling Patch #32 because it won't apply to current 8.1.x. I can't do an interdiff for the same reason.
Comment #35
Wim LeersThe href attribute is hardcoded.
We should not do that. Instead, we should adopt the pattern that
FilterHtml
uses since #2549077: Allow the "Limit allowed HTML tags" filter to also restrict HTML attributes, and only allow a small whitelist of attributes by default, with explicit whitelisting of attributes or even attribute values.Because of that, this patch basically needs to be redone from scratch, because it is based on
FilterHtml
code from before that issue. It'll be easier to copy/paste the updatedFilterHtml
code than continuing with this patch.Comment #37
esod CreditAttribution: esod at Memorial Sloan Kettering Cancer Center commentedMoving the test code to FilterKernelTest and rerolling the patch for 8.2.x.
Starting to look into redoing the patch with the updated
FilterHtml
code from Allow the "Limit allowed HTML tags" filter to also restrict HTML attributes, and only allow a small whitelist of attributes by default, which has been merged in to 8.3.xComment #38
esod CreditAttribution: esod at Memorial Sloan Kettering Cancer Center commentedSame patch. Changing Status to
Needs review
to get it tested.Comment #44
DakwamineThis patch does not apply anymore on 8.5. Allowed tags are still hardcoded in the FilterCaption filter.
Comment #45
DakwamineUpdated the previous patch for 8.7.
Noticeable code wise differences:
'drupalImageCaption_alignFilterEnabled' => $format->filters('filter_align')->status,
I was able to patch on 8.5.4 and it works as expected on my site which uses entity embed. I have not tested with default captions on native inline images though.
Some tests may need a little refresh.
Comment #46
DakwamineAdded missing blank line.
Comment #47
Anybody#45 works great for me. RTBC+1
Comment #48
Wim LeersThank you very much for working on this! 🙏 (Merci beaucoup!)
This is not yet done.
The feedback in #35 also has not yet been addressed.
Do you think you could also address that? 🙂
Comment #49
DakwamineYou may expect from me an update next week if noone has already addressed the feedback until then.
Comment #50
Wim LeersWOOT! 🎉 🚀
Comment #51
DakwamineHi, sorry for the delay.
This is still a work in progress. I have tried to reuse the same filter system as FilterHtml. It works as expected, exactly the same way as FilterHtml: tags are first stripped out, then invalid attributes are removed. Here are my thoughts:
filter_html_nofollow
. This is why I had to add a new config to FilterCaption. Should we aswell let the user chose if he wants therel="nofollow"
attribute on links in the caption config? I am not sure about the consequences of this setting. Would it not be redundant with the "main" FilterHtml process if this one is also enabled?Comment #52
DakwamineInputs needed. :)
Comment #54
DakwamineOoops sorry, I was not up to date with the 8.7.x branch.
Comment #59
jonraedeke CreditAttribution: jonraedeke commentedThis patch is still working well for me. I don't really know enough to give the feedback that was requested though.
Comment #60
phernand42 CreditAttribution: phernand42 commentedPatch in #54 doesnt seem to be applyling to core version 8.9.6.
Comment #61
ankithashettyRe-rolling the patch in #54 against latest core 9.1.x dev version, so that it'll be easier to test by others and also attaching a diff_reroll file... Thanks!
Comment #62
AaronBaumanHere's a re-roll of #54 that applies to 8.9.x in case anyone else is not on 9 yet like me.
Comment #63
AaronBaumanAnd here's a reroll of #54 that applies to 8.9.6 (current HEAD has breaking changes)
Comment #65
dkosbob CreditAttribution: dkosbob commentedLooks like the use declaration of Drupal\Component\Utility\Xss was removed in 8.9.7. Here is another reroll for that.
Comment #66
AaronBaumanI think testbot is refusing to test because of coding standards issues.
Need a line break here between property definition and method doc:
2 other issues reported with javascript - not sure if those are blocking tests or not...
Comment #67
raman.b CreditAttribution: raman.b at OpenSense Labs commentedThis should give us a better idea of which tests are actually failing
Comment #68
jonraedeke CreditAttribution: jonraedeke commentedWe'll need to do this for the drupalmedia plugin as well.
Comment #71
nkraftI would love to be able use SUP and SUB tags inside my figcaptions. Anything I can do to bring this patch back to life so we can roll it into 9.3.x?
Thanks!
Comment #72
nyanmar CreditAttribution: nyanmar commentedHere's the addition with the drupalmedia plugin
Comment #73
andregp CreditAttribution: andregp at CI&T commented@rerolled for 9.4.x and fixed some CS errors from the patch.
Comment #74
andregp CreditAttribution: andregp at CI&T commentedSorry, I forgot to rebuild the .js files.
Comment #76
yogeshmpawarLooks like test failures are unrelated.
Comment #79
needs-review-queue-bot CreditAttribution: needs-review-queue-bot as a volunteer commentedThe Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.
Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.
Comment #81
AaronBaumanis this still an issue for ckeditor5?
Comment #82
DuaelFrYes! I can confirm it is still an issue. See
\Drupal\filter\Plugin\Filter\FilterCaption::process()
.I cannot find any restriction on the CKEditor side anymore, though.
Backend:
Frontend:
Comment #83
DuaelFrUpdated IS