Problem/Motivation

The meta title of the pages are escaped twice.

Steps to reproduce :

  1. create a node which title is "It's her birthday !"
  2. display the node

Expected meta title : It's her birthday ! | Site name
Current meta title : It's her birthday ! | Site name

There is a core issue that tries to work on it : #2579091: Make safe_join Twig filter return a Markup object
We can still provide a working version right now.

Proposed resolution

Use the |raw filter on the title variable so it's not escaped again (and it's more secure too).

Remaining tasks

Patch, Review, Commit

User interface changes

None.

API changes

None.

Data model changes

None.

CommentFileSizeAuthor
#6 meta-title-double-escaped-707484-6.patch459 bytesblacklabel_tom
#2 zen-prevent_title_double_escape-2833767-2.patch455 bytesDuaelFr
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

DuaelFr created an issue. See original summary.

DuaelFr’s picture

DuaelFr
he/him
Primary language French
Location Montpellier, France
CreditAttribution: DuaelFr as a volunteer and at Happyculture commented
Status: Active » Needs review
FileSize
zen-prevent_title_double_escape-2833767-2.patch455 bytes
andypost’s picture

andypost
he/him
Primary language Russian
CreditAttribution: andypost as a volunteer and at Skilld commented
Status: Needs review » Reviewed & tested by the community

RTBC, this is pretty annoying to fix everytime

JohnAlbin’s picture

JohnAlbin
he/they/他
Primary language English
Location Taipei, Taiwan
CreditAttribution: JohnAlbin commented
Issue summary: View changes
Status: Reviewed & tested by the community » Postponed (maintainer needs more info)

Use the |raw filter on the title variable so it's not escaped again (and it's more secure too).

What? No, you have it backwards. Using the |raw filter is extremely dangerous unless you know what you are doing. e.g. If an anonymous user is allowed to create nodes on a site, allowing un-filtered markup in the title is a security hole.

If there is a problem it is probably in html.html.twig where it says {% set title = head_title|safe_join(' | ') %}

Also, I don't understand what the issue is. In the current issue description has an example with a "current title" of It's her birthday ! | Site name. It's not double-escaped like the issue claims, so it looks exactly like what I would expect.

Can you update the example so it actually shows the problem?

andypost’s picture

andypost
he/him
Primary language Russian
CreditAttribution: andypost as a volunteer and at Skilld commented
Status: Postponed (maintainer needs more info) » Reviewed & tested by the community

Yes, the problem in this set that should be removed see http://cgit.drupalcode.org/zen/tree/STARTERKIT/templates/layout/html.htm...

Core does this inplace http://cgit.drupalcode.org/drupal/tree/core/themes/classy/templates/layo...

It is double-escape - first in safe_join & second in template on render!

blacklabel_tom’s picture

blacklabel_tom CreditAttribution: blacklabel_tom at Reason Digital commented
FileSize
meta-title-double-escaped-707484-6.patch459 bytes

Hi All,

I've attached a patch that fixes this issue for me.

Cheers

Tom

blacklabel_tom’s picture

blacklabel_tom CreditAttribution: blacklabel_tom at Reason Digital commented
Status: Reviewed & tested by the community » Needs review