text_summary() returns a plain string, even if passed a MarkupInterface object

Created on 10 July 2019, almost 5 years ago
Updated 26 June 2023, 12 months ago

Problem/Motivation

  • Create an Article node. For the Body field, choose the "Full HTML" format, click the "Source" button in the CKEditor toolbar, and enter the following HTML:
    <iframe src="http://example.com/"></iframe>
    <!--break-->
    stuff below the fold
    
  • Save that article. Notice that the iframe and the "stuff below the fold" is displayed, because the article is being shown in the "Full" view mode.
  • Go to the home page. Notice that nothing is shown for the article's teaser, not even the iframe.
  • This is because for the teaser, text_summary() is called and passed a FilteredMarkup object, marking the string as safe for rendering, because it's already been processed by a text format (in this case, by "Full HTML" which allows iframes). However, text_summary() then extracts the part before <!--break-->, and returns it as a plain string. Because it's a plain string, not a MarkupInterface object, when it gets rendered it gets passed to Xss::filterAdmin(), which strips out the iframe.
  • We're running into this problem in #2940029-89: Add an input filter to display embedded Media entities , where the iframe is a rendered YouTube video. In other words, this bug prevents the "Media Embed" filter from working as expected when embedded videos should otherwise be displayed in a content teaser.

Proposed resolution

Fix text_summary() to return a MarkupInterface object when a MarkupInterface object is passed in.

Remaining tasks

This issue is tagged with "Needs security review", because we should make sure that the proposed resolution is in fact a safe thing to do. In other words, if an HTML string has been determined to be safe to render, is it valid to assume that a fragment of it is also safe to render?

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report
Status

Needs work

Version

11.0 🔥

Component
Text 

Last updated 11 days ago

Created by

🇺🇸United States effulgentsia

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.69.0 2024