SafeMarkup::format() should require arguments without them it is just SafeMarkup::set() in disguise [#2547851]

Comment	File	Size	Author
#28	2547851-2.28.patch	7.79 KB	alexpott
#28	24-28-interdiff.txt	5.49 KB	alexpott
#24	2547851-2.24.patch	2.3 KB	alexpott
#23	safemarkup_format-2547851-23.patch	5.41 KB	joelpittet
#23	interdiff.txt	904 bytes	joelpittet
#22	safemarkup_format-2547851-22.patch	5.42 KB	joelpittet
#22	interdiff.txt	1.93 KB	joelpittet
#20	safemarkup_format-2547851-20.patch	4.75 KB	joelpittet
#20	interdiff.txt	2.38 KB	joelpittet
#17	interdiff.txt	5.1 KB	joelpittet
#17	safemarkup_format-2547851-17.patch	3.71 KB	joelpittet
#14	2547851.14.patch	7.48 KB	alexpott
#14	10-14-interdiff.txt	1.73 KB	alexpott
#10	2547851.9.patch	7.25 KB	alexpott
#9	2547851.8.patch	7.25 KB	alexpott
#9	8-9-interdiff.txt	4.6 KB	alexpott
#8	2547851.8.patch	4.34 KB	alexpott
#8	6-8-interdiff.txt	561 bytes	alexpott
#6	2547851.6.patch	4.09 KB	alexpott
#6	3-6-interdiff.txt	852 bytes	alexpott
#3	2547851.3.patch	3.25 KB	alexpott
#3	2-3-interdiff.txt	1.17 KB	alexpott
#2	2547851.2.patch	3.23 KB	alexpott

Comment #1

10 years ago

alexpott created an issue. See original summary.

Log in or register to post comments

Comment #2

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott at Chapter Three commented 10 years ago

Status:

Active

» Needs review

Status	File	Size
new	2547851.2.patch	3.23 KB

Let's see if this breaks any tests.

Log in or register to post comments

Comment #3

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott at Chapter Three commented 10 years ago

Status	File	Size
new	2-3-interdiff.txt	1.17 KB
new	2547851.3.patch	3.25 KB

Fixing the filter tips page.

Log in or register to post comments

Comment #4

10 years ago

The last submitted patch, 2: 2547851.2.patch, failed testing.

Log in or register to post comments

Comment #5

10 years ago

Status:

Needs review

» Needs work

The last submitted patch, 3: 2547851.3.patch, failed testing.

Log in or register to post comments

Comment #6

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott at Chapter Three commented 10 years ago

Status:

Needs work

» Needs review

Status	File	Size
new	3-6-interdiff.txt	852 bytes
new	2547851.6.patch	4.09 KB

So this is the SafeMarkup::set() side effect problem in a nutshell. We're not escaping the markup in between the code tags as we should because it is marked safe when it should not be.

Log in or register to post comments

Comment #7

dawehner

German

CreditAttribution: dawehner as a volunteer commented 10 years ago

+++ b/core/lib/Drupal/Component/Utility/SafeMarkup.php
index 054d101..4beb133 100644
--- a/core/lib/Drupal/Core/Entity/Plugin/DataType/EntityAdapter.php

--- a/core/lib/Drupal/Core/Entity/Plugin/DataType/EntityAdapter.php
+++ b/core/lib/Drupal/Core/Entity/Plugin/DataType/EntityAdapter.php

+++ b/core/lib/Drupal/Core/Entity/Plugin/DataType/EntityAdapter.php
+++ b/core/lib/Drupal/Core/Entity/Plugin/DataType/EntityAdapter.php
@@ -114,7 +114,7 @@ public function set($property_name, $value, $notify = TRUE) {

@@ -114,7 +114,7 @@ public function set($property_name, $value, $notify = TRUE) {
    */

You can remove the use statement now, yeah!

+++ b/core/modules/filter/src/Plugin/Filter/FilterHtml.php
@@ -145,7 +145,7 @@ public function tips($long = FALSE) {
-          array('data' => SafeMarkup::format($tips[$tag][1]), 'class' => array('get'))
+          array('data' => ['#markup' => $tips[$tag][1]], 'class' => array('get'))

Yeah this call was effectively a SafemMarkup::set() call, right? On the other hand #markup will be ran through Xss::filterAdmin() which supports a supersets of these tags:

array_diff($tips, $a);
=> []

+++ b/core/modules/filter/src/Tests/FilterAdminTest.php
@@ -372,8 +372,8 @@ function testFilterTipHtmlEscape() {
     $link = '<a href="' . $base_url . '">' . SafeMarkup::checkPlain(\Drupal::config('system.site')->get('name')) . '</a>';
...
+    $link_as_code = '<code>' . htmlspecialchars($link, ENT_QUOTES, 'UTF-8') . '

';
+ $ampersand_as_code = '' . htmlspecialchars($ampersand, ENT_QUOTES, 'UTF-8') . '';

Doesn't that result into double escaping now? It is just a test, but still ...

Log in or register to post comments

Status	File	Size
new	6-8-interdiff.txt	561 bytes
new	2547851.8.patch	4.34 KB

Actually we want what is in between the code tags to (single) escaped. At the moment we are relying in the fact that browser escape things between code tags for us. This is a regression from Drupal 7... it's code looks like this (spaces added to the code tags to make this work...:

  foreach ($entities as $entity) {
    $rows[] = array(
      array('data' => $entity[0], 'class' => array('description')),
      array('data' => '< code >' . check_plain($entity[1]) . '</ code >', 'class' => array('type')),
      array('data' => $entity[1], 'class' => array('get'))
    );
  }

Making this major like all the other SafeMarkup::set() removals and because of the regression.

Log in or register to post comments

Comment #9

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott at Chapter Three commented 10 years ago

Status	File	Size
new	8-9-interdiff.txt	4.6 KB
new	2547851.8.patch	7.25 KB

In fact we can get to the point where FilterHtml is no longer marking any of the help text safe which has got to be saner!

Log in or register to post comments

Comment #10

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott at Chapter Three commented 10 years ago

Status	File	Size
new	2547851.9.patch	7.25 KB

1 file was hidden/shown/deleted

Status	File	Size
hidden	2547851.8.patch	7.25 KB

Wrong patch in #9. Here's the correct patch.

Log in or register to post comments

Comment #11

dawehner

German

CreditAttribution: dawehner as a volunteer commented 10 years ago

+++ b/core/modules/filter/src/Plugin/Filter/FilterHtml.php
@@ -144,7 +143,9 @@ public function tips($long = FALSE) {
+          // The markup must be escaped.

@@ -175,7 +176,9 @@ public function tips($long = FALSE) {
+        // The markup must be escaped.

Should it be explained why? ... because you want to see the tag for itself?

Log in or register to post comments

Comment #12

xjm

she/her

English

CreditAttribution: xjm at Acquia commented 10 years ago

Issue tags:

+Needs change record

Log in or register to post comments

Comment #13

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott at Chapter Three commented 10 years ago

Created https://www.drupal.org/node/2549107

Log in or register to post comments

Comment #14

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott at Chapter Three commented 10 years ago

Status	File	Size
new	10-14-interdiff.txt	1.73 KB
new	2547851.14.patch	7.48 KB

Improved documentation.

Log in or register to post comments

Comment #15

joelpittet

he/him

English

Vancouver

CreditAttribution: joelpittet commented 10 years ago

Status:

Needs review

» Needs work

This looks great and is hilarious that this was done so many times!

There are a few things in the patch that seem a bit out of the scope of the issue.

+++ b/core/modules/filter/src/Plugin/Filter/FilterHtml.php
@@ -102,7 +101,7 @@ public function tips($long = FALSE) {
-      'a' => array($this->t('Anchors are used to make links to other pages.'), '<a href="' . $base_url . '">' . SafeMarkup::checkPlain(\Drupal::config('system.site')->get('name')) . '</a>'),
+      'a' => array($this->t('Anchors are used to make links to other pages.'), '<a href="' . $base_url . '">' . htmlspecialchars(\Drupal::config('system.site')->get('name'), ENT_QUOTES, 'UTF-8') . '</a>'),

Not format, shouldn't be part of this patch.

```
+++ b/core/modules/filter/src/Plugin/Filter/FilterHtml.php
@@ -144,8 +143,10 @@ public function tips($long = FALSE) {
-          array('data' => SafeMarkup::format('<code>@var
```
', array('@var' => $tips[$tag][1])), 'class' => array('type')),
...
+ array('data' => ['#prefix' => '', '#markup' => htmlspecialchars($tips[$tag][1], ENT_QUOTES, 'UTF-8'), '#suffix' => ''], 'class' => array('type')),

This one has arguments, doesn't count.

+++ b/core/modules/filter/src/Plugin/Filter/FilterHtml.php
@@ -144,8 +143,10 @@ public function tips($long = FALSE) {
-          array('data' => SafeMarkup::format($tips[$tag][1]), 'class' => array('get'))
...
+          // The markup must not be escaped.
+          array('data' => ['#markup' => $tips[$tag][1]], 'class' => array('get'))

implicit admin xss filter?

```
+++ b/core/modules/filter/src/Plugin/Filter/FilterHtml.php
@@ -175,8 +176,10 @@ public function tips($long = FALSE) {
-        array('data' => SafeMarkup::format('<code>@var
```
', array('@var' => $entity[1])), 'class' => array('type')),
...
+ array('data' => ['#prefix' => '', '#markup' => htmlspecialchars($entity[1], ENT_QUOTES, 'UTF-8'), '#suffix' => ''], 'class' => array('type')),

Same has arguments, out of scope.

+++ b/core/modules/filter/src/Plugin/Filter/FilterHtml.php
@@ -175,8 +176,10 @@ public function tips($long = FALSE) {
+        array('data' => ['#markup' => $entity[1]], 'class' => array('get'))

These could get a nice comma at the end.

+++ b/core/modules/filter/src/Tests/FilterAdminTest.php
@@ -368,12 +368,15 @@ function testFilterTipHtmlEscape() {
-    $link = '<a href="' . $base_url . '">' . SafeMarkup::checkPlain(\Drupal::config('system.site')->get('name')) . '</a>';
+    $link = '<a href="' . $base_url . '">' . htmlspecialchars($site_name_with_markup, ENT_QUOTES, 'UTF-8') . '</a>';

This is out of scope, not SafeMarkup::format()

```
+++ b/core/modules/filter/src/Tests/FilterAdminTest.php
@@ -368,12 +368,15 @@ function testFilterTipHtmlEscape() {
-    $link_as_code = '<code>' . $link . '
```
';
- $ampersand_as_code = '' . $ampersand . '';
+ $link_as_code = '' . htmlspecialchars($link, ENT_QUOTES, 'UTF-8') . '';
+ $ampersand_as_code = '' . htmlspecialchars($ampersand, ENT_QUOTES, 'UTF-8') . '';

SafeMarkup::checkPlain? till that other issue gets in.

Log in or register to post comments

Comment #16

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott at Chapter Three commented 10 years ago

Status:	Needs work	» Postponed
Issue tags:	-Needs change record

Use SafeMarkup::checkPlain when the string does not need to be added to the safe list is bug. Postponing on #2504529: SafeMarkup does not escape some filter tips - remove SafeMarkup usage from FilterHtml which will handle FilterHtml and then this will be a three line or so patch.

Log in or register to post comments

Comment #17

joelpittet

he/him

English

Vancouver

CreditAttribution: joelpittet commented 10 years ago

Status:

Postponed

» Needs review

Status	File	Size
new	safemarkup_format-2547851-17.patch	3.71 KB
new	interdiff.txt	5.1 KB

This doesn't need to be postponed on that, they are not related to the title of this.

Log in or register to post comments

Comment #18

joelpittet

he/him

English

Vancouver

CreditAttribution: joelpittet commented 10 years ago

This is a really good self contained fix that should just get in.

Log in or register to post comments

Comment #19

10 years ago

Status:

Needs review

» Needs work

The last submitted patch, 17: safemarkup_format-2547851-17.patch, failed testing.

Log in or register to post comments

Comment #20

joelpittet

he/him

English

Vancouver

CreditAttribution: joelpittet commented 10 years ago

Status:

Needs work

» Needs review

Status	File	Size
new	interdiff.txt	2.38 KB
new	safemarkup_format-2547851-20.patch	4.75 KB

Not sure how this passed before really but code values need to be escaped. And now with this change it's probably does need to be postponed.

Log in or register to post comments

Comment #21

joelpittet

he/him

English

Vancouver

CreditAttribution: joelpittet commented 10 years ago

Status:

Needs review

» Postponed

Postponing on #2550945: Add Html::escape()

Log in or register to post comments

Comment #22

joelpittet

he/him

English

Vancouver

CreditAttribution: joelpittet commented 10 years ago

Status:

Postponed

» Needs review

Status	File	Size
new	interdiff.txt	1.93 KB
new	safemarkup_format-2547851-22.patch	5.42 KB

Unpostponing this will likely conflict with #2504529: SafeMarkup does not escape some filter tips - remove SafeMarkup usage from FilterHtml

Log in or register to post comments

Comment #23

joelpittet

he/him

English

Vancouver

CreditAttribution: joelpittet commented 10 years ago

Status	File	Size
new	interdiff.txt	904 bytes
new	safemarkup_format-2547851-23.patch	5.41 KB

Better escaping testing with assertEscaped()

Log in or register to post comments

Comment #24

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott at Chapter Three commented 10 years ago

Status	File	Size
new	2547851-2.24.patch	2.3 KB

Rerolled on top of #2504529: SafeMarkup does not escape some filter tips - remove SafeMarkup usage from FilterHtml.

Log in or register to post comments

Comment #25

joelpittet

he/him

English

Vancouver

CreditAttribution: joelpittet commented 10 years ago

Issue tags:

+SafeMarkup, +D8 Accelerate

RTBC from me, just need to find someone to second it.

Log in or register to post comments

Comment #26

stefan.r CreditAttribution: stefan.r commented 10 years ago

Seconding, this seems like a good idea!

The method documentation still looks good and grepping the code for any SafeMarkup::set() without test coverage and a second argument I found nothing.

Maybe this could use an assert('$args !== array()') if we wanted to also disallow SafeMarkup::checkPlain($string, array());?

Log in or register to post comments

Comment #27

dawehner

German

CreditAttribution: dawehner as a volunteer and at Tag1 Consulting commented 10 years ago

I'm wondering whether there could be generic code which does not know its placeholders, so it maybe an empty array. For them the assert() would make it a bit harder.

Log in or register to post comments

Comment #28

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott at Chapter Three commented 10 years ago

Status	File	Size
new	24-28-interdiff.txt	5.49 KB
new	2547851-2.28.patch	7.79 KB

We can add the assert later... but lets also fix format_string() to work the same way.

Log in or register to post comments

Comment #29

stefan.r CreditAttribution: stefan.r commented 10 years ago

Status:

Needs review

» Reviewed & tested by the community

Looks like we have all the format_string() calls here, so RTBC

Log in or register to post comments

Comment #30

webchick

she/they

English

Vancouver 🇨🇦

CreditAttribution: webchick at Acquia commented 10 years ago

Status:

Reviewed & tested by the community

» Fixed

Committed and pushed to 8.0.x. Thanks!

Log in or register to post comments

Comment #31

10 years ago

webchick committed fa2724a on 8.0.x

Issue #2547851 by alexpott, joelpittet, dawehner, stefan.r, xjm:...

Log in or register to post comments

Comment #32

10 years ago

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Log in or register to post comments

Comment #33

stefan.r CreditAttribution: stefan.r commented 10 years ago

So contrib is now doing lovely things like this to work around the SafeMarkup::set removal

+++ b/src/EntityComparisonBase.php
@@ -83,7 +83,7 @@ class EntityComparisonBase extends ControllerBase {
-    $this->nonBreakingSpace = SafeMarkup::set('&nbsp;');
+    $this->nonBreakingSpace = SafeMarkup::format('&nbsp;', array());

https://www.drupal.org/node/2563017

Log in or register to post comments

Comment #34

joelpittet

he/him

English

Vancouver

CreditAttribution: joelpittet commented 10 years ago

Wow, dx be darned.

They haven't used SafeString:create() yet. At least that would only open up xss for their module instead of on the Safemakup sting list and all the site

Log in or register to post comments

SafeMarkup::format() should require arguments without them it is just SafeMarkup::set() in disguise

Comments

Change records for this issue

Parent issue

Referenced by