Contrib.social

Maxlength validation counts newlines twice

Open on Drupal.org β†’
Created on 3 August 2021, over 3 years ago
Updated 11 February 2023, about 2 years ago

Steps to reproduce

  • Add a maxlength attribute to a textarea and set it to 400
  • Write a text with new lines with exactly 400 characters including some new lines where every new line counts as 1 character (like .val().length in JavaScript counts)

We found this issue with some custom JavaScript which shows to the user a counter how many characters are left. The counter shows "0 characters left" but the PHP validation claims that too many characters are used.

Proposed resolution

Problem is in FormValidator class the method performRequiredValidation(). mb_strlen($elements['#value']) counts evey new line as two characters. As suggested here https://stackoverflow.com/questions/68618268/mb-strlen-counts-new-lines-... the numbers of new lines should be deducted so that each new line becomes counted ony once:

   if (isset($elements['#maxlength'])) {
      $countCharacters = mb_strlen($elements['#value']) - substr_count($elements['#value'], "\n");
      if ($countCharacters > $elements['#maxlength']) {
        $form_state->setError($elements, $this->t('@name cannot be longer than %max characters but is currently %length characters long.', ['@name' => empty($elements['#title']) ? $elements['#parents'][0] : $elements['#title'], '%max' => $elements['#maxlength'], '%length' => $countCharacters]));
      }
    }

Remaining tasks

Tests
Code review

πŸ› Bug report
Status

Needs work

Version

9.5

Component
FormΒ  β†’

Last updated about 9 hours ago

Created by

πŸ‡©πŸ‡ͺGermany tobiberlin Berlin, Germany

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 2 years ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    This issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request β†’ as a guide.

    For the tests requested in #4

  • Status changed to Active 6 days ago
  • Comment 6 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States dcam

    I verified the problem on my Windows laptop. This is still an issue with the latest 11.x-dev.

    The issue summary has been updated with information about the actual problem. This isn't the result of PHP "counting new line characters twice." The problem is that in Windows new lines are literally two characters, a carriage return and line feed (\r\n). JavaScript and browsers ignore the \r when calculating string length. PHP counts them both.

    Thus, the former proposed fix and patch in #3 are unacceptable solutions. They would cause strings to pass form validation, but would eventually result Drupal trying to save strings that are too long into database fields whose sizes are set to the given maxlengths. That would result in even worse errors, probably WSoDs.

    I don't know what the best solution is to the problem. A framework manager will have to decide.

  • Merge request !11677Added a basic FunctionalJavascript test β†’ (Open) created by dcam
  • Pipeline finished with Failed
    6 days ago
    Total: 235s
    #460492
  • Pipeline finished with Failed
    6 days ago
    Total: 593s
    #460495
  • Comment 6 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States dcam

    I wrote a very basic FunctionalJavascript test that demonstrates the issue. The test fails because it finds the server-side validation error message after submitting the form. It will have to be modified appropriately after a solution for the bug has been decided, but it demonstrates that there's a problem for now. I wanted to make it verify the contents of the textarea field before submitting the form, but I don't know how. This is literally the first FunctionalJavascript test that I've written.

    Anyway, I'm leaving the Needs Tests tag since it will have to be improved or modified. But I'm changing the status to Needs Review to get the attention of a maintainer for an opinion on a fix.

  • Comment 6 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States dcam
  • Comment 6 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States dcam

    Form validation issues are described as having Major status.

  • Comment 5 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Not 100% sure putting into review will grab the attention.

    Though it's good to have the hard part done in a test.

    Will post in slack though to try and kick start it.

  • Comment about 9 hours ago β†’
    godotislate

    Looking at the HTML5 Standard, the maxlength attribute for a form control is validated by its "API Value".

    In the case of textarea elements, the API value and value differ. In particular, newline normalization is applied before the maximum allowed value length is checked (whereas the textarea wrapping transformation is not applied).

    And the newline normalization converts "\r\n" and "\r" to "\n". So in PHP, the maxlength should be validated against the submitted value with the same newline normalization.

    This likely affects submissions regardless of the user's brower/OS. Also per the HTML5 standard, the submitted form values should have "\n" and "\r" normalized to "\r\n". So the form values in PHP should have "\r\n" exclusively. Testing on Chrome in MacOS, I can validate that this is what I've observed. Putting a breakpoint on these lines in Drupal\Core\Form\FormValidator::performRequiredValidation():

        // Verify that the value is not longer than #maxlength.
    if (isset($elements['#maxlength']) && mb_strlen($elements['#value']) > $elements['#maxlength']) {
      $form_state->setError($elements, $this->t('@name cannot be longer than %max characters but is currently %length characters long.', [
        '@name' => empty($elements['#title']) ? $elements['#parents'][0] : $elements['#title'],
        '%max' => $elements['#maxlength'],
        '%length' => mb_strlen($elements['#value']),
      ]));
    }

    If I only hit "return" 20 times in a textarea with #maxlength 20 and submit the form, then the value of $elements['#value'] is "\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n", and mb_strlen($elements['#value']) is 40.

    I think best way forward is to do the same newline normalization in Drupal\Core\Render\Element\Textarea::valueCallback(), so that the maxlength validation is equivalent on the frontend and backend. I think it also makes sense to store this normalized value, so that there isn't an error if the same character limit is applied on the database column, but it needs to be validated that when the value is retrieved and presented back to browsers, that this doesn't create any issues across browsers/OSes.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024