Contrib.social

Summaries should not be decoded with Html::decodeEntities

Open on Drupal.org β†’
Created on 16 March 2023, over 2 years ago

Problem/Motivation

Currently, asset injector summaries are decoded, however this results in unnecessarily escaped HTML.

e.g. if the summary returns:

$this->t('Condition filter values: %theme.', [
  '%theme' => $this->configFactory->get('system.theme')->get('default'),
]);

Steps to reproduce

Use a condition which returns a summary containing Drupal placeholders.

Proposed resolution

Don't escape as the underlying module providing the summary should've already handled all the necessary sanitization.

We could also potentially wrap it in something along the lines of this (but shouldn't be necessary since it's not user generated content):

Markup::create(Xss::filterAdmin($summary->render()));

Remaining tasks

Provide issue fork/patches.

User interface changes

N/A

πŸ› Bug report
Status

Active

Version

2.0

Component

Code

Created by

codebymikey

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @codebymikey
  • Merge request !9Issue #3348521: Summaries should not be decoded with Html::decodeEntities β†’ (Open) created by codebymikey
  • Status changed to Needs review over 2 years ago
  • Comment over 2 years ago β†’
    codebymikey

    Added issue fork, the current approach also allows it to work if the third party module happens to return a simple string rather than markup.

  • First commit to issue fork.
  • Comment about 1 year ago β†’
    πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica

    The module's implementation changed in the meantime:
    $data['conditions'][$condition_id] = is_string($summary) ? Html::decodeEntities($summary) : Html::decodeEntities($summary->render());

    Could the maintainer eventually explain why Html::decodeEntities() is used here at all?

    I also can't really see a benefit, theoretically it's even more a risk:

    Be careful when using this function, as it will revert previous sanitization efforts (<script> will become

    ).
    https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Component%21Utility%21Html.php/function/Html%3A%3AdecodeEntities/8.9.x So I think it should be removed for good reasons, if it's not needed.
  • Pipeline finished with Success
    about 1 year ago
    Total: 177s
    #225335
  • Comment 11 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States pookmish

    There was a reason when the code was first written. I think it was something to do with the summary provided by one of the condition plugins not being compatible.

    Looking at the git blame brings up this issue: πŸ› Calling ->render()on string throws errors Fixed .

    But now looking at it, that is an issue with the condition_path module, not this module. However, it's doesn't appear to need to be decoded and leaving the summary un-rendered works fine.

    So this seems appropriate to me.

  • Comment 11 days ago β†’
    System Message
  • Comment 11 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States pookmish
  • Comment 11 days ago β†’
    System Message

    Now that this issue is closed, please review the contribution record.

    As a contributor, attribute any organization helped you, or if you volunteered your own time.

    Maintainers, please credit people who helped resolve this issue.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024