UrlHelper::filterBadProtocol() really ought not to be setting safe strings - it's only used in Xss::attributes() - which should not be marking anything as safe.
UrlHelper::filterBadProtocol() has existing test coverage in Drupal\Tests\Component\Utility\UrlHelperTest
Filing this in case #2545972: Remove all code usages SafeMarkup::checkPlain() and rely more on Twig autoescaping does not land.
This is a major bug because Xss filter should not lead to any text being marked as safe. It's major because it is very unexpected given the recent work in #2506195: Remove SafeMarkup::set() from Xss::filter()
Comment | File | Size | Author |
---|---|---|---|
#8 | 2546232.8.patch | 620 bytes | alexpott |
#2 | 2546232.2.patch | 771 bytes | alexpott |
Comments
Comment #2
alexpottHere's a patch.
Comment #3
alexpottComment #4
Wim LeersShould this be blocked on #2545972: Remove all code usages SafeMarkup::checkPlain() and rely more on Twig autoescaping?
These two lines are identical functionality-wise.
I'm assuming you're doing this solely to make the symmetry more apparent?
Comment #5
alexpottWell @xjm and others think #2545972: Remove all code usages SafeMarkup::checkPlain() and rely more on Twig autoescaping is wrong and tbh fixing this is more important.
Yep I think making the symmetry obvious makes reading the method simpler.
Comment #6
Wim LeersComment #7
catchSorry I'm postponing this on #2545972: Remove all code usages SafeMarkup::checkPlain() and rely more on Twig autoescaping, both wrappers are useful.
Comment #8
alexpottUsed Html::escape() not that it is not the exact opposite of Html::decodeEntities() but we have good test coverage around Xss and UrlHelper and this is the expected behaviour.
Comment #9
joelpittetComment #11
catchCommitted/pushed to 8.0.x, thanks!