Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Follow-up to #2527360: Review all usages of Xss::filter(), Xss::filterAdmin(), and Html::escape()
We're using SafeMarkup::format in tests. We should not as this pollutes the safe string list and is irrelevant.
Where we are using it in $this->assertRaw()
we should just convert it to a string. Where we are using it in an assertion message we should just convert it to a string with the variables inserted like "This is a $lol test"
.
Comment | File | Size | Author |
---|---|---|---|
#78 | interdiff_70-78.txt | 4.74 KB | mohrerao |
#78 | 2549805-78.patch | 26.63 KB | mohrerao |
#70 | 2549805-70.patch | 26.52 KB | shalinigaur |
#55 | 2549805-55-D8.patch | 41.03 KB | mohit1604 |
#55 | interdiff.txt | 8.88 KB | mohit1604 |
Comments
Comment #2
xjmComment #3
alexpottSo how would be convert this? From BookTest.php
Comment #4
alexpottA couple of example conversions. Placeholders are going to be annoying.
Comment #5
geertvd CreditAttribution: geertvd at XIO commentedJust posting my progress, curious if I missed any placeholders.
This is still unfinished.
Comment #7
geertvd CreditAttribution: geertvd at XIO commentedThis should fix the test fails for now.
Still a work in progress, anyone feel free to work on this, I'll assign myself when i'm doing so.
Comment #8
geertvd CreditAttribution: geertvd at XIO commented@alexpott, i fixed that like this, does that seem acceptable?
Comment #11
joelpittetLooks like it needs a re-roll.
Comment #12
lokapujyaRerolled.
Comment #13
lokapujyas/expect/expected/g
Tempted to fix this here. Is it allowed or out of scope?
Comment #15
joelpittetIn scope imo. It's in a changed hunk so won't effect other patches more than what we are changing.
Comment #16
geertvd CreditAttribution: geertvd at XIO commentedJust pointing out that there still are a lot of occurrences of SafeMarkup::format() and format_string() that need replacing. My patch in #7 was just a work in progress.
Comment #17
joelpittetSince this is improving only tests. this can be done during RC. https://www.drupal.org/core/d8-allowed-changes#rc
Comment #18
lokapujyaFixed errors, fixed typos mentioned in #13, and removed a few more usages.
Comment #20
lokapujyaFix some mistakes that I added in #18.
Comment #21
lokapujya1.) Some of these strings are displayed in the browser when viewing test results. Why wouldn't those messages need to use SafeMarkup? Are they getting escaped later? I think they are auto-escpaped, but just making sure.
2.) Maybe we can split this issue up since there are over 100 instances.
Comment #22
DuaelFrThank you very mush @lokapujya!
To anwser your questions I think that variables in tests can be considered as safe as they are never taken from user inputs. Even if one of these variables were not safe, tests are not likely run from the UI on a production server so there would be no impact to an XSS injection in the tests results.
About the size of this patch I think that core maintainers would like to have some smaller changes to review but I don't know how they'd like them to be splitted. One should ask them what they prefer.
Finally, I have a remark about some changes introduced by your patch. For example in:
The fact is that %href get transformed in something like
<em>$href</em>
. So, your patch make us loose something. As<em>something</em>
is painful while reading tests results in command line, I'd suggest to add double quotes around the variable to keep the value separated from the other part of the message:Comment #23
lokapujyaThanks for reviewing!
Good point. Maybe the
<em>
is important for messages?I don't know if we should worry about this part. One could argue that is command line's problem. Command line could eventually support interpreting
<em>
tag.Comment #24
mpdonadioWhy don't we add a trait onto WebTestbase for a ::format() method that essentially does the same thing, but w/o the safe string handling? That should allow for nearly one-to-one replacement in tests?
Comment #25
DuaelFr@mpdonadio I like your idea. Ready to provide a patch? :)
Comment #26
mpdonadioSure. Probably not tomorrow, but I'll have something ready on Monday or Tuesday.
Comment #27
xjmSo the current patch is changing both assertions themselves, and assertion messages. These are two separate scopes actually and I think we should split them into two separate issues. The former (removing it from non-messages) is important to make sure our tests are testing the right thing. The latter (removing
format_string()
from assertion messages) does not affect the integrity of the test and is a separate discussion. At first @alexpott had suggested doing so, but then said once "actually SimpleTest result display sanitization works differently than I thought" and so said it would need to be considered more carefully. There may be a different issue for that somewhere.Also, I'm not actually in favor of adding additional assertion methods for the string formatting.
Finally, we should actually consider first off which of these assertion messages are unneeded. Often with an
assertText()
orassertRaw()
the custom assertion message is not actually adding any additional information.So my suggestion would be:
format_string()
and friends that are not on the message parameter.format_string()
, and just remove the parameter so only the default message is used.Comment #28
lokapujyareroll + beginning #27-1. So, this only includes what we already discovered in the previous patch. Many more may have been added.
Comment #30
lokapujyaComment #31
lokapujyaI think I've identified all of them. Left some as @todos. Do we still want to do this? If so, then if anyone wants to finish it off, go ahead.
Comment #33
lokapujyaremove the @
Comment #34
dawehnerJust some quick feedback.
a renderPlain would be enough here. In general it feels weird though that we require to do that, but yeah this more or less how its expected to work.
Comment #35
lokapujyaI feel responsible for fixing the errors.
Comment #36
lokapujyaWhat would be the ideal branch to commit this?
Comment #38
Mile23Rerolled to 8.2.x.
@xjm in #27 might disagree, but we could preserve the effort here by reviewing and committing, add a follow-up to split things out for assertion strings vs. message strings, and maybe even scope for format_string() only, and one for SafeMarkup::format().
After this patch, NetBeans says: Found 581 matches of format_string in 158 files and Found 179 matches of SafeMarkup::format in 63 files. That's searching through files that end in *Test.php.
Comment #40
joelpittetComment #42
joelpittetCustom test seemed to pass but it's stuck. @Mile23 mind uploading that again?
Comment #43
Mile23I see this in the jenkins log:
But I'll re-up anyway.
Comment #44
Mile23Ewps.
Comment #45
Mile23Patch still applies to 8.3.x. Re-running tests.
Comment #46
lokapujyaThe patch in @28 basically filters the changes down to what was suggested in the #27.1 comment. So patch #20 has a lot more conversions in it.
Comment #50
joelpittetComment #51
Mile23Reroll of #43.
There are still a lot more usages. We might finish up here with the remainder of either SafeMarkup or format_string, and then do a follow-up for the other one. For the sake of reviewability.
format_string() in *Test.php: 156 files.
SafeMarkup::format() in *Test.php: 63 files.
Let's finish out SafeMarkup::format() here when this patch passes.
Comment #52
Mile23Comment #54
mohit1604 CreditAttribution: mohit1604 at Google Summer of Code commentedComment #55
mohit1604 CreditAttribution: mohit1604 at Google Summer of Code commentedComment #57
alexpottSome of this is going to be done automatically by #2958429: Properly deprecate SafeMarkup::format() - and some of this is going to be done by #2228741: Replace calls to format_string() with Drupal\Component\Render\FormattableMarkup. I think we should postpone on those two issue so that this issue only has to deal with FormattableMarkup usage in tests and not with any deprecated code.
Comment #60
andypostIt could be closed, no more usage found in core
Comment #63
xjm@andypost Well, no, the original scope wasn't only about removing deprecated API use; it was the followup to getting rid of
t()
in tests. The equivalent of the safe string list is still being polluted by whatever's left in tests.Comment #64
xjmComment #65
mrinalini9 CreditAttribution: mrinalini9 at Srijan | A Material+ Company for Drupal India Association commentedComment #66
mrinalini9 CreditAttribution: mrinalini9 at Srijan | A Material+ Company for Drupal India Association commentedRerolled patch for 9.1.x and removed FormattableMarkup and t() from tests, please review.
Comment #67
mrinalini9 CreditAttribution: mrinalini9 at Srijan | A Material+ Company for Drupal India Association commentedComment #68
mrinalini9 CreditAttribution: mrinalini9 at Srijan | A Material+ Company for Drupal India Association commentedFixed PHPLint issues in #66, please review.
Comment #69
shalinigaur CreditAttribution: shalinigaur at Srijan | A Material+ Company commentedComment #70
shalinigaur CreditAttribution: shalinigaur at Srijan | A Material+ Company commentedComment #72
mohrerao CreditAttribution: mohrerao as a volunteer and at Srijan | A Material+ Company for Drupal India Association commentedWorking on failed tests
Comment #73
mohrerao CreditAttribution: mohrerao as a volunteer and at Srijan | A Material+ Company for Drupal India Association commented1. Ran
grep -r "FormattableMarkup" *
and could find FormattableMarkup still in many places.2. Also found t() being used in many asserts.
Comment #74
longwaveWe have a separate meta for t() as there are thousands of these to replace. This issue should be for FormattableMarkup only.
Comment #75
mohrerao CreditAttribution: mohrerao as a volunteer and at Srijan | A Material+ Company for Drupal India Association commented@longwave in #63, it was requested for.
Comment #76
mohrerao CreditAttribution: mohrerao as a volunteer and at Srijan | A Material+ Company for Drupal India Association commentedComment #77
mohrerao CreditAttribution: mohrerao as a volunteer and at Srijan | A Material+ Company for Drupal India Association commentedMoved to back to needs work and working on failed tests.
Comment #78
mohrerao CreditAttribution: mohrerao as a volunteer and at Srijan | A Material+ Company for Drupal India Association commentedFixed failing tests in #70. Also removes t() from many places.
I second #74. It would be better to have a separate issue from removal of t().
Comment #79
longwaveThat issue already exists: #3133726: [meta] Remove usage of t() in tests not testing translation
There are 933 instances of "new FormattableMarkup" in tests, is this too much to fix in one issue? As with the t() issue, should we convert this to a meta and try and break this down into smaller patches that are easier to write and review?
Comment #80
mohrerao CreditAttribution: mohrerao as a volunteer and at Srijan | A Material+ Company for Drupal India Association commented@longwave, I think it would be better not to pollute the scope of this issue. We can group all issues for removal of t() under one meta and then address it from there. Also want to know @xjm's view on this as she mentioned that the scope also includes removal of t() in #63.
Comment #81
mohrerao CreditAttribution: mohrerao as a volunteer and at Srijan | A Material+ Company for Drupal India Association commentedMoving to Needs review and expecting comments form @longwave and @xjm
Comment #84
longwaveWe are almost done with removing t() in tests, there are two child issues of #3133726: [meta] Remove usage of t() in tests not testing translation open and then we should be done.
There are roughly just under 1000 references to FormattableMarkup in tests:
Some of those will be use statements and comments, or tests of FormattableMarkup itself. If we cut this down into just assertions there are about 600:
If we then break those down into kernel and functional tests, those seem manageable amounts to do in separate child issues:
Does that seem OK as a rescoping of this problem? We can then clean up any final leftovers in this issue.
Comment #85
mondrakeComment #88
joachim CreditAttribution: joachim as a volunteer commentedBased on #84, it looks like this needs work?