Contrib.social

Review all usages of Xss::filter(), Xss::filterAdmin(), and Html::escape()

Open on Drupal.org β†’
Created on 6 July 2015, about 10 years ago
Updated 9 April 2025, 4 months ago

#2506195: Remove SafeMarkup::set() from Xss::filter() β†’ has revealed that we should be relying on the render system's auto-escape and auto-filtering more. If a string is not marked safe then the render system will automatically escape HTML. Therefore calls to SafeMarkup::checkPlain() like:

    $form['admin_label'] = array(
      '#type' => 'item',
      '#title' => $this->t('Block description'),
      '#markup' => SafeMarkup::checkPlain($definition['admin_label']),
    );

Are unnecessary. Here we could just change #markup to #value and rely on auto-escaping.

The calls to Xss::filterAdmin can be replaced by converting to a render array. For example:

      $variables['types'][$type->id()] = array(
        'type' => $type->id(),
        'add_link' => \Drupal::l($type->label(), new Url('node.add', array('node_type' => $type->id()))),
        'description' => Xss::filterAdmin($type->getDescription()),
      );

We can just do 'description' => array('#markup' => $type->getDescription()), instead because all #markup is auto-filtering for the admin tag list by the render system.

πŸ“Œ Task
Status

Needs work

Version

11.0 πŸ”₯

Component

theme system

Created by

πŸ‡¬πŸ‡§United Kingdom alexpott πŸ‡ͺπŸ‡ΊπŸŒ

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 4 months ago β†’
    πŸ‡«πŸ‡·France duaelfr Montpellier, France

    This is quite old!
    I was digging into an issue with inline templating within Views and found this piece of code from \Drupal\views\Plugin\views\PluginBase::viewsTokenReplace():

          // Use the unfiltered text for the Twig template, then filter the output.
      // Otherwise, Xss::filterAdmin could remove valid Twig syntax before the
      // template is parsed.

      $build = [
        '#type' => 'inline_template',
        '#template' => $text,
        '#context' => $twig_tokens,
        '#post_render' => [
          function ($children, $elements) {
            return Xss::filterAdmin($children);
          },
        ],
      ];

      // Currently you cannot attach assets to tokens with
      // Renderer::renderInIsolation(). This may be unnecessarily limiting. Consider
      // using Renderer::executeInRenderContext() instead.
      // @todo https://www.drupal.org/node/2566621
      return (string) $this->getRenderer()->renderInIsolation($build);

    Here, even if we are using Twig's render engine, filterAdmin is called on post_process without any way to bypass it. In my case, I have an inline template that includes an image field rendered with a responsive style. The <picture> and <srcset> tags are dropped by this post process so I must use an external template instead of the builtin feature of views.

  • First commit to issue fork.
  • Merge request !12207Remove unnecessary Xss::filterAdmin() calls β†’ (Open) created by prudloff
  • Pipeline finished with Success
    3 months ago
    Total: 650s
    #504210
  • Comment 3 months ago β†’
    πŸ‡«πŸ‡·France prudloff Lille

    I had a look and only found this call that could easily be removed. But I might have missed some others.

    I think several calls have been removed over the years ( #2569381: Drupal\views\Plugin\views\area\Result does an unnecessary XSS::adminFilter() β†’ for example).

    @duaelfr I'm not sure this is related. I think there was some issue about being able to set the list of allowed tags in view templates but I can't find it.

  • Status changed to Needs review 21 days ago
  • Comment 21 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Not sure I follow why https://www.drupal.org/project/drupal/issues/2036219 is no longer needed.

  • Comment 20 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States xjm

    @smustgrave Re: #26, wrong issue?

  • Comment 20 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Updated comment sorry!

  • Comment 20 days ago β†’
    πŸ‡«πŸ‡·France prudloff Lille

    Not sure I follow why Markup::create(Xss::filterAdmin($element['#value'])); is no longer needed.

    #markup already calls Xss::filterAdmin() when it is rendered.

  • Comment 20 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States xjm

    A call in the HtmlTag element itself; very nice!

    FWIW regarding #22 which I did not read closely before, I think that is works as designed.

  • Comment 20 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States xjm

    Is any of #9 forward-portable?

  • Comment 20 days ago β†’
    πŸ‡«πŸ‡·France prudloff Lille

    The patch from #9 blindly replaces Xss::filter() calls with a render array, even in places where the expected type is a string.
    For example:

    -    $safe_string->string = Html::normalize(Xss::filter($string, static::allowedTags()));
+    $safe_string->string = Html::normalize(['#markup' => $string, '#allowed_tags' => static::allowedTags()]);

    This would definitely not work.

    Which is why I did not use it as basis for the MR and started from scratch.

  • Comment 20 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States xjm

    Ah good call; I did not actually review it. Thanks @prudloff.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024