text_summary() returns a plain string, even if passed a MarkupInterface object

Created on 10 July 2019, over 5 years ago

Updated 26 June 2023, over 1 year ago

Problem/Motivation

Create an Article node. For the Body field, choose the "Full HTML" format, click the "Source" button in the CKEditor toolbar, and enter the following HTML:
```
<iframe src="http://example.com/"></iframe>

stuff below the fold
```
Save that article. Notice that the iframe and the "stuff below the fold" is displayed, because the article is being shown in the "Full" view mode.
Go to the home page. Notice that nothing is shown for the article's teaser, not even the iframe.
This is because for the teaser, text_summary() is called and passed a FilteredMarkup object, marking the string as safe for rendering, because it's already been processed by a text format (in this case, by "Full HTML" which allows iframes). However, text_summary() then extracts the part before , and returns it as a plain string. Because it's a plain string, not a MarkupInterface object, when it gets rendered it gets passed to Xss::filterAdmin(), which strips out the iframe.
We're running into this problem in #2940029-89: Add an input filter to display embedded Media entities → , where the iframe is a rendered YouTube video. In other words, this bug prevents the "Media Embed" filter from working as expected when embedded videos should otherwise be displayed in a content teaser.

Proposed resolution

Fix text_summary() to return a MarkupInterface object when a MarkupInterface object is passed in.

Remaining tasks

This issue is tagged with "Needs security review", because we should make sure that the proposed resolution is in fact a safe thing to do. In other words, if an HTML string has been determined to be safe to render, is it valid to assume that a fragment of it is also safe to render?

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Needs work

Version

11.0 🔥

Component

Text →

Last updated 9 days ago

Maintained by
🇺🇸United States @smustgrave

Created by

🇺🇸United States effulgentsia

Live updates comments and jobs are added and updated live.

Needs security review

Bug Smash Initiative

NorthAmerica2021

Needs tests
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.1 & MySQL 5.7
last update over 1 year ago
30,312 pass, 2 fail
Comment over 1 year ago →
🇮🇳India junaidpv Kannur, Kerala
Just a reroll of #18 for current 9.5.x
Comment over 1 year ago →
System Message
The last submitted patch, 24: 3067124-24.patch, failed testing. View results →
Assigned to nitin_lama
Status changed to Needs work over 1 year ago12:25pm 1 June 2023
Comment over 1 year ago →
🇮🇳India nitin_lama India
Patch #18 working fine for 9.4.x version

Before:

After:

I tried replicating the issue on 9.5.10-dev, 10.1.0-dev, 11.0-dev and it seems like the issue is not existing on these versions, not sure why. I've done the steps mentioned in the IS. I am attaching the ss for reference.

Homepage:

Node page:

Version:
Issue was unassigned.
Comment over 1 year ago →
🇮🇳India nitin_lama India

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024