Contrib.social

Decode entities in captions when using a token

Open on Drupal.org β†’
Created on 3 May 2022, about 3 years ago
Updated 1 March 2023, about 2 years ago

Problem/Motivation

When configured to use a field token as the caption when using the colorbox field formatter, the caption is in the popup will have encoded entities. Things like apostrophes and quotations are encoded by the token service.

Steps to reproduce

Configure the colorbox field formatter to use a field token as the caption.
Populate that field on the entity with something like: I said "What's the issue?"
View the entity and click on the item to view the colorbox modal.
View the encoded characters.

Proposed resolution

Use \Drupal\Component\Render\PlainTextOutput::renderFromHtml() to prepare the caption text.

Remaining tasks

User interface changes

None

API changes

None

Data model changes

None

πŸ› Bug report
Status

Needs review

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States pookmish

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Merge request !14#3278470 Decode entities in custom captions with tokens β†’ (Open) created by pookmish
  • Comment about 2 years ago β†’
    πŸ‡¬πŸ‡§United Kingdom james.williams

    PlainTextOutput::renderFromHtml() is ideal when you only want plain text in the captions, but there seems to be a case for HTML in them too (see #3263032: HTML links no longer work in custom captions β†’ ), so I'm not sure this can always be appropriate.

    I found I get double-escaped HTML in the captions, even when I don't use tokens for captions, because Xss::Filter() is used at the end of template_preprocess_colorbox_formatter(), regardless of the source of the caption. Regardless of the caption, the title attribute on the colorbox link produced by that formatter's template is double-escaped, from what I can see!

    Now I realise this module has had security issues, but I wonder if this is a place where this is no longer appropriate? I think Twig auto-escaping would be sanitising the attributes array in the template already. But I'm not confident enough to know that wouldn't just open another security problem.

  • Pipeline finished with Success
    9 months ago
    Total: 145s
    #246971
  • Pipeline finished with Success
    9 months ago
    Total: 151s
    #246972
  • Pipeline finished with Success
    9 months ago
    Total: 185s
    #252023
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024