- πΊπΈUnited States bluegeek9
I think unserialize($values, ['allowed_classes' => FALSE]) is the behavior we want.
- Status changed to Closed: works as designed
about 1 year ago 1:23am 30 January 2024
After upgrading from Drupal 8.5.3. to 8.5.14, message tokens which were created using Markup were no longer displaying.
This may not be a widespread issue, as our implementation is slightly customized where we dynamically create messages when events on the. website occur. In this case, we pass through custom tokens to get replaced by the template, some of which include HTML.
$message->setArguments([
'@user' => Markup::create('id().'">'.$user->getAccountName().''),
'@text' => ' posted a Blog - ',
'@content' => Markup::create('url().'">'.$node->getTitle().''),
]);
After the upgrade, anything wrapped in Markup::create() started throwing an error as it was being returned as __PHP_Incomplete_Class. Digging into this, and finally coming across a post on the shopify module queue here: https://www.drupal.org/project/shopify/issues/3034741 β it was clear it was due to SA-CORE-2019-003 security release which uses unserialize($values, ['allowed_classes' => FALSE]); and thus turns the unserialized object into a "__PHP_Incomplete_Class" object.
Also posted on Github here: https://github.com/Gizra/message/issues/252
Closed: works as designed
1.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
I think unserialize($values, ['allowed_classes' => FALSE]) is the behavior we want.