We had the same problem as #25, and the patch in #25 worked well, for version 3.0.0-beta.
- 🇵🇹Portugal dxvargas
I have a question about the patch #25 and the usage of
Drupal\Core\Render\Markup::create. Is it safe?
I'm afraid we are marking the message sent by the user as safe and sending it as is in the email.
Can someone please confirm or rebut this? - 🇨🇦Canada Jaypan
usage of Drupal\Core\Render\Markup::create. Is it safe?
I don't think it is. From the Markup documentation:
This object should only be constructed with a known safe string. If there is any risk that the string contains user-entered data that has not been filtered first, it must not be used.
- Merge request !132Allow safe HTML tags in private message notifications. → (Closed) created by jphelan
- 🇺🇸United States jphelan
Yeah, I think you guys are right, I think we need to use Xss::filter() on it. I've created a new patch to allow only a few safe HTML tags.
- 🇧🇪Belgium herved
Can't we simply use
$private_message->get('message')->processed?
This uses\Drupal\text\TextProcessed::getValueand returns aFilteredMarkupwhich would align with the filter format.Xss::filtermay filter way more than expected. - 🇷🇴Romania claudiu.cristea Arad 🇷🇴
We need a test to prove that text from email is not HTML-encoded. Also, please use the MR, with patches there's no test run
-
claudiu.cristea →
committed c496aa62 on 3.0.x
Issue #2971692 by claudiu.cristea, jphelan, opdavies, Abdelrahman Amer,...
-
claudiu.cristea →
committed c496aa62 on 3.0.x
Automatically closed - issue fixed for 2 weeks with no activity.